Method and system for managing access rights of file room door controller based on TCP / IP communication

By generating and issuing time-sensitive access certificates, the access control controller completes identity and time verification locally, solving the problems of network dependence and timeliness, and realizing precise and flexible access control for the archives.

CN122176830APending Publication Date: 2026-06-09ZHONGDA KESHENG TECHNOLOGY GROUP CO LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
ZHONGDA KESHENG TECHNOLOGY GROUP CO LTD
Filing Date
2026-03-16
Publication Date
2026-06-09

Smart Images

  • Figure CN122176830A_ABST
    Figure CN122176830A_ABST
Patent Text Reader

Abstract

This application relates to the field of computer communication and security control technology, and provides a method and system for access control management of archive storage rooms based on TCP / IP communication, solving the problems of heavy network dependence and inflexible access control. The method includes: receiving an archive borrowing request from an archive management terminal; verifying whether the corresponding operation permission is within a pre-set valid time period based on the borrowing request, and generating an access validity certificate if the verification is successful; transmitting the access validity certificate to the access control controller via a TCP / IP communication network; receiving and parsing the access validity certificate, and after successful identity verification, determining whether the current time is within the time window allowed by the access validity certificate; and, based on the determination result, performing the opening or closing operation of the archive storage room door lock. The technical solution provided by this application not only achieves accurate, secure, and network-independent control of access permissions to archive storage rooms through offline verification of digital certificates.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of computer communication and security control technology, and in particular to a method and system for access control management of archive storage rooms based on TCP / IP communication. Background Technology

[0002] With the increasing digitalization of archival management, there is a growing demand for remote authorization, precise targeting of specific archival items, and strict timeliness in access control of physical archival storage facilities, in order to improve management efficiency while ensuring security.

[0003] The current technical solution is to use a central server for centralized verification and control. When an operator requests access, the central server verifies the operator's permissions and the validity of the time in real time, and sends an immediate door opening command directly to the designated access controller via the network.

[0004] However, this method still suffers from an over-reliance on the real-time connectivity of the central server and the network. When the network is interrupted or delayed, even if the permissions are valid, the verification and door opening operations cannot be completed. At the same time, this method can usually only perform coarse-grained time control, making it difficult to generate and issue an independent, accurate, and offline verifiable time window credential for a specific borrowing request. Summary of the Invention

[0005] This application provides a method and system for access control and permission management of archive storage rooms based on TCP / IP communication, in order to solve the problems of heavy network dependence and inflexible time-limited permission control in the prior art.

[0006] Firstly, this application provides a method for access control management of an archive storage room based on TCP / IP communication, including: Receive file borrowing request information initiated from the file management terminal, wherein the file borrowing request information includes the target file number; Based on the file borrowing request information, verify whether the operation permission corresponding to the file borrowing request information is within the valid time period preset by the file administrator. When the verification is successful, generate a permission validity certificate. The validity certificate of the access control is transmitted via TCP / IP communication network to the access controller associated with the physical storage location corresponding to the target file number; The system receives and parses the permission validity certificate. After successful identity verification, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs the opening or closing operation of the door lock of the archive storage room.

[0007] Optionally, receiving a file borrowing request from a file management terminal, the file borrowing request information including the target file number, including: On the human-computer interaction interface of the file management terminal, select a file item from the pre-stored file catalog list and extract the target file number corresponding to the file item; Based on the selected file entry and the corresponding target file number, initial request data is generated. The initial request data includes the target file number, the timestamp of the initial request data generation, and the operator identifier used when logging into the file management terminal. The initial request data is encrypted to obtain encrypted request data, and the encrypted request data is organized into a data packet according to predefined communication rules. The data packets are sent to the central system via a TCP / IP communication network, and the data packets are parsed according to the predefined communication rules to obtain encrypted data. The encrypted data is decoded to obtain the file borrowing request information.

[0008] Optionally, based on the file borrowing request information, it is verified whether the operation permission corresponding to the file borrowing request information is within a valid time period preset by the file administrator. When the verification is successful, a permission validity certificate is generated, including: Extract the target file number, operator identifier, and time stamp of when the file borrowing request information was generated from the file borrowing request information; Based on the target file number, search for the access control controller identifier corresponding to the target file number in the pre-stored file access control association; Based on the operator's identifier, query the permission rule base that is pre-set and stored by the file administrator to obtain the target file category associated with the operator's identifier and the fixed valid time period configured for the target file category. The fixed valid time period includes the start date and end date and time of the allowed operation. Determine whether the timestamp when the file borrowing request information is generated falls within the time range of the fixed valid time period, and determine whether the file category to which the target file number belongs is included in the target file category; When the timestamp falls within the fixed valid time period and the file category to which the target file number belongs is included, the verification is deemed successful. After the verification is passed, the allowed operation time window is calculated based on the start and end dates of the fixed valid time period; The operator identifier, the target file number, the access control controller identifier, and the permitted operation time window are combined to form an initial data packet, which is then encrypted and digitally signed to generate an authorization validity certificate.

[0009] Optionally, determining whether the timestamp when the file borrowing request information is generated falls within the time range of the fixed valid time period, and determining whether the file category to which the target file number belongs is included in the target file category, includes: According to the preset field arrangement order, the operator identifier, the target file number, the access control controller identifier, and the start and end dates of the allowed operation time window are sequentially concatenated to form a plaintext string; The plaintext string is processed by applying a preset first encoding rule, converting each character in the plaintext string into a corresponding binary value sequence to obtain binary encoded data; The private coded key stored in the central system is invoked to perform operations on the binary coded data and generate additional verification data. The additional verification data is appended to the end of the binary encoded data to form a combined data block; The combined data block is processed by applying a preset second encoding rule, the binary data in the combined data block is segmented into segments of fixed length, each segment of binary data is mapped to a printable character in a predetermined character set, and all printable characters are arranged in order to generate an authorization validity certificate.

[0010] Optionally, transmitting the access certificate to the access control controller associated with the physical storage location corresponding to the target file number via a TCP / IP communication network includes: Extract the exit control controller identifier from the permission validity certificate; Search the pre-stored network address mapping table for the network address information that uniquely corresponds to the access controller identifier; The authorization certificate is used as the core data content to be sent, and a control header containing the network address information is added to the header of the core data content to generate a network transmission data frame. The network transmission data frames are sent to the TCP / IP communication network through the network interface; The routing device in the TCP / IP communication network forwards the network transmission data frame to the access control controller specified by the access control controller identifier based on the network address information in the control header of the network transmission data frame. After the access control controller receives the network transmission data frame through the network interface, it removes the control header, extracts the permission validity certificate, and stores the permission validity certificate in the access control controller's local non-volatile memory.

[0011] Optionally, the system receives and parses the permission validity certificate. After successful identity verification, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs an opening or closing operation on the door lock of the archive storage room, including: Read the permission validity certificate from local non-volatile memory; The permission validity certificate is processed by applying the reverse processing rule corresponding to the second encoding rule, restoring the printable character sequence in the permission validity certificate into a combined data block, and separating the combined data block into binary encoded data and additional verification data; The pre-stored public encoding key is used to perform calculations on the binary encoded data to generate reference verification data. The reference verification data is then compared with the additional verification data. When the reference verification data and the additional verification data are consistent, the permission validity certificate is determined to be complete and valid. Once the permission validity certificate is determined to be complete and valid, the reverse processing rule corresponding to the first encoding rule is applied to extract the operator identifier, the start date and end date of the allowed operation time window from the binary encoded data. The operator's identity information collected on-site is compared with the operator's identifier. When the operator's identity information collected on-site matches the operator's identifier, the identity verification is deemed successful. The system obtains the current date and time, determines whether the current date and time are within the time range defined by the start date and time and end date and time, and generates a drive signal based on the determination result to control the electronic door lock to perform an opening or closing operation.

[0012] Optionally, a pre-stored public key is used to perform calculations on the binary encoded data to generate reference verification data, and the reference verification data is compared with the additional verification data. When the reference verification data and the additional verification data are consistent, the permission validity certificate is determined to be complete and valid, including: Read the pre-stored public coded key from the secure storage area of ​​the access control controller, and use the public coded key and the binary coded data as input to perform calculations and generate reference verification data; The additional verification data is extracted from the end of the combined data block at a predetermined fixed length; The reference verification data and the additional verification data are compared element by element. When each corresponding element of the reference verification data and the additional verification data is the same, the permission validity certificate is determined to be complete and valid.

[0013] Secondly, this application provides a TCP / IP-based access control and permission management system for archive storage rooms, including: The receiving module is used to receive file borrowing request information initiated from the file management terminal, wherein the file borrowing request information includes the target file number; The verification module is used to verify whether the operation permission corresponding to the file borrowing request information is within a valid time period preset by the file administrator based on the file borrowing request information. When the verification is successful, a permission validity certificate is generated. The transmission module is used to transmit the authorization certificate via a TCP / IP communication network to the access controller associated with the physical storage location corresponding to the target file number; The execution module is used to receive and parse the permission validity certificate. After the identity is verified, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs the opening or closing operation of the door lock of the archive storage room.

[0014] Thirdly, this application provides a computing device, including a processing component and a storage component; the storage component stores one or more computer instructions; the one or more computer instructions are invoked and executed by the processing component to implement the TCP / IP communication-based access control access management method for archive storage as described in the first aspect above.

[0015] Fourthly, this application provides a computer storage medium storing a computer program, which, when executed by a computer, implements a TCP / IP-based access control method for managing access permissions in an archive storage room as described in the first aspect.

[0016] The beneficial effects of this application are: This application generates and issues permission validity certificates containing specific time windows, enabling access control controllers to independently verify the integrity of the certificate itself, the identity of the holder, and the validity of the operation time locally after receiving the certificate. This reduces the absolute dependence on continuous real-time connectivity between the central system and the network. Even in the event of a temporary network interruption or delay, as long as the access control controller has pre-stored a valid permission validity certificate, it can perform door lock control based on the time window in the certificate and the on-site identity verification result. This solves the problem of authorization failure caused by network connectivity issues in the prior art and enhances the availability and reliability of the system in complex network environments.

[0017] Furthermore, since each access certificate is generated for a single file borrowing request, a specific file, and a specific operator, and is bound to a precise allowed operation time window, this achieves refined and dynamic access control. The access controller can strictly ensure that every door opening operation is within the pre-authorized precise time period by parsing the certificate content to make time judgments, which surpasses the limitations of traditional solutions that can only perform coarser-grained control such as fixed time periods every day.

[0018] These or other aspects of this application will become more apparent in the following description of the embodiments. Attached Figure Description

[0019] To more clearly illustrate the technical solutions in this application or the prior art, the drawings used in the description of the embodiments or the prior art will be briefly introduced below. Obviously, the drawings described below are some embodiments of this application. For those skilled in the art, other drawings can be obtained based on these drawings without creative effort.

[0020] Figure 1 A flowchart of a method for access control management of an archive storage room based on TCP / IP communication, as provided in this application, is shown. Figure 2 This application provides a schematic diagram of the structure of an access control and permission management system for an archive storage room based on TCP / IP communication. Figure 3 A schematic diagram of the structure of a computing device provided in this application is shown. Detailed Implementation

[0021] To enable those skilled in the art to better understand the present application, the technical solution of the present application will be clearly and completely described below with reference to the accompanying drawings.

[0022] In some of the processes described in the specification, claims, and accompanying drawings of this application, multiple operations appearing in a specific order are included. However, it should be clearly understood that these operations may not be executed in the order they appear herein, or may be executed in parallel. The operation numbers, such as 101, 102, etc., are merely used to distinguish different operations and do not themselves represent any execution order. Furthermore, these processes may include more or fewer operations, and these operations may be executed sequentially or in parallel. It should be noted that the descriptions such as "first," "second," etc., in this document are used to distinguish different messages, devices, modules, etc., and do not represent a chronological order, nor do they limit "first" and "second" to different types.

[0023] The technical solutions of this application will now be clearly and completely described with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of this application, and not all embodiments. Based on the embodiments of this application, all other embodiments obtained by those skilled in the art without creative effort are within the scope of protection of this application.

[0024] Figure 1 This application provides a flowchart of a method for access control and permission management of an archive storage room based on TCP / IP communication, as shown in the flowchart. Figure 1 As shown, the method includes: Step 101: Receive a file borrowing request from the file management terminal, wherein the file borrowing request includes the target file number.

[0025] Optionally, step 101 may specifically include: Step 1011: On the human-computer interaction interface of the file management terminal, select a file item from the pre-stored file catalog list and extract the target file number corresponding to the file item.

[0026] Step 1012: Generate initial request data based on the selected file entry and the corresponding target file number. The initial request data includes the target file number, the timestamp of generating the initial request data, and the operator identifier used when logging into the file management terminal.

[0027] Step 1013: Encrypt the initial request data to obtain encrypted request data, and organize the encrypted request data into a data packet according to predefined communication rules.

[0028] Step 1014: Send the data packet to the central system via the TCP / IP communication network, and parse the data packet according to the predefined communication rules to obtain encrypted data.

[0029] Step 1015: Decode the encrypted data to obtain the file borrowing request information.

[0030] In this step, the document borrowing request information refers to the digital application instruction initiated by the operator on the document management terminal, requesting physical access to a specific document, which is used to initiate the entire access control permission verification process.

[0031] The target file number refers to the unique identification code assigned to each physical file in the file management system. It is used to accurately locate a specific file in the system and is extracted from the selected file entries.

[0032] The human-computer interaction interface refers to the graphical display and operation area on the file management terminal for operators to view information and input operations, and is used to receive instructions from operators.

[0033] A pre-stored archive catalog refers to a list that is stored in advance in the archive management terminal or a server connected to it, containing basic information such as number, name, and location of all available archives, for operators to browse and select.

[0034] An archive entry refers to a specific item in a pre-stored archive catalog list, representing a record of an archive, which is used by operators to select and indicate their borrowing target.

[0035] The initial request data refers to the raw data packet formed locally on the file management terminal by combining the target file number, the timestamp when the data was generated, and the operator's identification, which is used for subsequent encryption and transmission.

[0036] A timestamp refers to the precise date and time automatically recorded by the system clock of the file management terminal at the moment the initial request data was generated, used to identify the time point when the request was initiated.

[0037] Operator identification refers to the unique information used by operators when logging into the file management terminal, which represents their identity within the system. It is usually an employee number or account number and is used to identify the request initiator in subsequent processes. It is obtained through the login verification process.

[0038] Encrypted request data refers to data obtained by applying encryption algorithms to the initial request data, and whose content cannot be directly identified. It is used to protect the confidentiality and integrity of request information during network transmission and is obtained by encrypting and encoding the initial request data.

[0039] Predefined communication rules refer to the data organization format and transmission protocol agreed upon in advance between the file management terminal and the central system. For example, how to add start flags, end flags, data lengths, checksums, etc., to ensure that both parties can correctly identify and parse the transmitted data packets.

[0040] A data packet refers to a data transmission unit that assembles encrypted request data and other necessary control information, such as start characters, addresses, and checksums, into a complete data transmission unit according to predefined communication rules, for independent and reliable transmission in a network.

[0041] Encrypted data refers to the original data portion that the central system extracts after receiving a data message, according to predefined communication rules. This encrypted data is then used for subsequent decoding to restore the original request information.

[0042] In this step, firstly, on the human-computer interaction interface of the file management terminal, the target file item is selected from the graphically displayed pre-stored file catalog list through touch or click operations. The application responds to this selection operation by executing a data extraction routine to read the unique target file number from the background data field corresponding to the selected file item. Secondly, a data assembly function is called to concatenate the extracted target file number, the current precise time obtained by calling the system clock interface as a timestamp, and the operator identifier read from the current login session according to a predetermined format to generate a structured initial request data. Then, the integrated encryption library is called to use a preset key to encrypt the initial request data using a symmetric encryption algorithm, converting it into encrypted request data in ciphertext form. Then, the network communication module is invoked to add a header and footer containing a start character, length information, and checksum to the encrypted request data according to a predefined communication protocol, assembling it into a standard format data packet. This data packet is then sent to the network via its network socket using the TCP / IP protocol. Upon receiving this packet, the network service daemon of the central system parses the packet structure according to the same communication protocol rules, stripping the header and footer information and extracting the core encrypted request data payload to obtain the encrypted encoded data. Finally, the corresponding decryption library is invoked, and the paired decryption key is used to decrypt the encrypted encoded data, restoring a readable plaintext data structure. This plaintext data structure contains the complete target file number, timestamp, and operator identification for the file borrowing request.

[0043] For example, operator A logs into their account on the computer file management terminal in the archives storage management office and clicks on file item B named "2023 Annual Financial Audit Report" in the list of available files displayed on the computer screen. First, the unique file number C is extracted from the background information of file B, and the number C, the current time 2024-05-27 10:30:00, and operator A's employee number EMP1001 are automatically packaged into an initial request data. Next, this data block is encrypted using a preset encryption algorithm, turning it into a bunch of encrypted request data, and a header and footer are added to it according to the prescribed format to form a data message. Then, it is sent to the central server of the archives through the network. After receiving it, the central server first removes the header and footer, obtains the encrypted code data in the middle, and then decrypts it with the paired key, successfully obtaining the clear file borrowing request information with number C, time 10:30, and employee number EMP1001.

[0044] This step, through a series of interconnected operations from terminal interface interaction, data extraction and combination, local encryption, standardized packet assembly, network transmission to central reception, parsing, and decryption, ensures that file borrowing requests can be securely, accurately, and reliably transmitted from the user's terminal to the central processing system.

[0045] Step 102: Based on the file borrowing request information, verify whether the operation permission corresponding to the file borrowing request information is within the valid time period preset by the file administrator. When the verification is successful, generate a permission validity certificate.

[0046] Optionally, step 102 may specifically include: Step 1021: Extract the target file number, operator identifier, and time stamp of the time when the file borrowing request information was generated from the file borrowing request information.

[0047] Step 1022: Based on the target file number, search for the access control controller identifier corresponding to the target file number in the pre-stored file access control association relationship.

[0048] Step 1023: Based on the operator identifier, query the permission rule library pre-set and stored by the file administrator to obtain the target file category associated with the operator identifier and the fixed valid time period configured for the target file category. The fixed valid time period includes the start date and end date and time of the allowed operation.

[0049] Step 1024: Determine whether the timestamp when the file borrowing request information is generated falls within the time range of the fixed valid time period, and determine whether the file category to which the target file number belongs is included in the target file category.

[0050] Optionally, step 1024 may specifically include the following steps: According to a preset field arrangement order, sequentially concatenate the operator identifier, the target file number, the access control controller identifier, and the start and end dates of the permitted operation time window to form a plaintext string; apply a preset first encoding rule to process the plaintext string, converting each character in the plaintext string into a corresponding binary value sequence to obtain binary encoded data; call the private encoded key stored in the central system to perform calculations on the binary encoded data to generate additional verification data; concatenate the additional verification data to the end of the binary encoded data to form a combined data block; apply a preset second encoding rule to process the combined data block, segmenting the binary data in the combined data block into segments of fixed length, mapping each segment of binary data to a printable character in a predetermined character set, and arranging all printable characters in sequence to generate an access validity certificate.

[0051] Step 1025: When the timestamp falls within the fixed valid time period and the file category to which the target file number belongs is included, the verification is deemed successful.

[0052] Step 1026: After the verification is passed, calculate the allowed operation time window based on the start date and end date of the fixed valid time period; Step 1027: Combine the operator identifier, the target file number, the access control controller identifier, and the permitted operation time window to form an initial data packet, and encrypt and digitally sign the data packet to generate an authorization validity certificate.

[0053] In this step, the access validity certificate refers to an encrypted and signed digital credential that is bound to a specific operator, target file, corresponding access control, and a precise time window, used to authorize access to a specified file repository within a specified time.

[0054] The pre-stored file access control association refers to a mapping table that is pre-set and stored in the central system, used to establish the correspondence between the unique number of each file and the access control controller corresponding to its physical storage location.

[0055] Access controller identifier refers to a code that uniquely identifies a specific access control device in the system. It is used for addressing and distinguishing different access controllers in the network.

[0056] A fixed valid time period refers to a continuous period of time pre-configured by the archivist for a specific person or type of archive, allowing them to operate within that time period. It includes specific start and end dates and times and is used to determine whether a borrowing request is initiated within the allowed time.

[0057] The preset field arrangement order refers to a fixed order followed by the central system when combining information, such as personnel identification - file number - access control identification - start time - end time, to ensure that the generated data format is uniform and can be correctly parsed.

[0058] Plaintext strings refer to a readable text string that is directly concatenated with the operator identifier, target file number, access control controller identifier, and start and end times of the time window according to a preset field arrangement order, and is used for subsequent encoding conversion.

[0059] The default first encoding rule refers to a rule that converts text characters into their binary representation in a computer, such as ASCII or UTF-8 encoding rules, and is used to convert plaintext strings into binary encoded data.

[0060] Binary encoded data refers to a sequence of 0s and 1s obtained after converting a plaintext string through the first encoding rule. It is a data form that computers can directly process, obtained by processing the plaintext string by applying the first encoding rule.

[0061] A private key is a unique and confidential string of data (i.e., a private key) that is exclusive to the central system and kept secret from the outside. It is used to perform an irreversible mathematical operation on binary encoded data to generate a unique piece of additional verification data.

[0062] Additional verification data refers to a fixed-length data segment representing the fingerprint of the binary data, generated by performing specific mathematical operations such as hash operations or signature operations on the binary encoded data using a private coded key. It is used to verify whether the data has been tampered with after transmission and is obtained by performing operations on the binary encoded data.

[0063] A combined data block refers to a larger binary data block formed by concatenating binary encoded data and additional verification data, used to bundle core information with its integrity check code for transmission.

[0064] The preset second encoding rule refers to a rule that converts binary data blocks into strings composed of specific characters such as letters and numbers, such as the Base64 encoding rule, which is used to encode combined data blocks into printable character text that is easy to transmit and store over the network.

[0065] Printable characters refer to standard characters that can be displayed on a screen or printed on a printer. They typically include uppercase and lowercase letters, numbers, and some symbols, and are obtained by mapping binary data segments according to a second encoding rule.

[0066] The initial data packet refers to a set of data temporarily combined with elements such as the operator identifier, target file number, access control controller identifier, and calculated time window obtained after successful verification, before the final certificate is generated. This data is used to prepare for the final encryption and signing.

[0067] In this step, the received file borrowing request information is first parsed to extract the target file number, operator identifier, and timestamp. Next, using the extracted target file number as the key, a database query is performed to search the pre-stored file access control relationship mapping table to find the corresponding access control controller identifier. Simultaneously, using the extracted operator identifier as the key, a database query is performed to retrieve the authorized target file category and its corresponding fixed valid time period from the access permission rule base. This fixed valid time period includes a clear start and end date and time. Then, two logical checks are performed: first, a date and time comparison operation is used to determine if the timestamp in the request falls within the fixed valid time period; second, information retrieval and list inclusion relationship checks are used to determine if the category to which the target file number belongs is in the list of authorized target file categories. Verification is considered successful only if both comparison operations are true. Subsequently, the start and end dates of the fixed valid period are directly defined as the time window for this permitted operation. Then, according to the preset field arrangement order, the operator identifier, target file number, access control controller identifier, and the start and end times of the time window are concatenated into a plaintext string through string concatenation. Next, the first encoding rule, such as UTF-8 encoding, is applied to encode this plaintext string to obtain the corresponding binary encoded data. Then, its digital signature module is called, using the stored private encoded key, to perform calculations on the above binary encoded data through a specific signature algorithm to generate an additional verification data, which is then appended to the end of the binary encoded data to form a combined data block. Finally, the second encoding rule, such as Base64 encoding, is applied to encode the entire combined data block, mapping it to a string composed of printable characters. This string is the final generated permission validity certificate.

[0068] For example, following the specific implementation of the previous step, a borrowing request with ID C, time 10:30, and employee ID EMP1001 is received and these three pieces of information are extracted. Next, ID C is used to check the file-access control association table, finding that the report is stored in smart file cabinet number 3, with the corresponding access control controller identifier GC003. Simultaneously, employee ID EMP1001 is used to check the permission rule base, finding that A has permission to operate on financial audit files, and the permitted operation time for this type of file is from 9:00 AM to 5:00 PM on weekdays. Then, it is determined that the request time of 10:30 AM falls within the 9:00 AM to 5:00 PM range, and the report with ID C belongs to the financial audit category, which is within the authorized scope; verification is successful. The permitted operation time window is then determined to be today, assuming it is from 9:00 AM to 5:00 PM on a weekday. Finally, this information is concatenated into the string EMP1001|C|GC003|2024-05-27 in the order of employee ID-file number-access control number-start time-end time. 09:00:00|2024-05-27 17:00:00, and convert it into binary; then use your unique private key to perform a digital signature operation on this binary data, and obtain a signature data attached to the end; finally, encode this binary data + signature combination block into Base64 to generate a text string similar to MDFENjM4QkIwNDk1MzA2NzUyRTAwM…, which is the authorization validity certificate for this authorization.

[0069] This step ensures that each issued access certificate has clear relevance, strict time validity, and immutability, providing a unique and reliable credential for subsequent offline and secure verification of the access control controller, and realizing precise, dynamic, and decentralized verification capabilities for access control.

[0070] Step 103: Transmit the permission validity certificate to the access control controller associated with the physical storage location corresponding to the target file number via TCP / IP communication network.

[0071] Optionally, step 103 may specifically include: Step 1031: Extract the access control controller identifier from the permission validity certificate.

[0072] Step 1032: Query the network address information that uniquely corresponds to the access controller identifier in the pre-stored network address mapping table.

[0073] Step 1033: Use the validity certificate as the core data content to be sent, and add a control header containing the network address information to the header of the core data content to generate a network transmission data frame.

[0074] Step 1034: Send the network transmission data frame to the TCP / IP communication network through the network interface.

[0075] Step 1035: Using the routing device in the TCP / IP communication network, the network transmission data frame is forwarded to the access control controller specified by the access control controller identifier according to the network address information in the control header of the network transmission data frame.

[0076] Step 1036: After the access control controller receives the network transmission data frame through the network interface, the control header is removed, the permission validity certificate is extracted, and the permission validity certificate is stored in the local non-volatile memory of the access control controller.

[0077] In this step, the access control controller refers to an embedded electronic device installed next to the door of the archive storage room. It has a built-in network interface, processor and memory, and is used to receive and store permission validity certificates, and to perform identity verification, time judgment and door lock driving operations on site.

[0078] The pre-stored network address mapping table refers to a database table maintained in the central system, which records the correspondence between each access controller identifier in the system and its unique logical or physical address in the network, and is used to convert the identifier into a routable network address.

[0079] Network address information refers to information that can uniquely identify and locate a terminal device in a network, such as an IP address or MAC address, and is used to guide the transmission path of data packets in the network.

[0080] The core data content to be sent refers to the main information that needs to be delivered to the target device in this network transmission task, namely the authorization certificate itself, which is used as the payload for generating network transmission data frames.

[0081] The control header is a structured information appended to the header of the core data content before network data transmission. It contains essential metadata such as the destination address, source address, and protocol type, which are used by network devices to address and forward data packets.

[0082] A network transmission data frame refers to a complete data packet that conforms to the network communication protocol format. It consists of a control header and encapsulated core data content, and is used to transmit as an independent unit in the network. It is obtained by adding the control header before the core data content.

[0083] In this step, the generated access control certificate string is first parsed. Since the access control controller identifier is encoded in a predetermined format during the generation of the access control certificate, the target access control controller identifier is extracted from the information contained in the access control certificate or based on its generation record using string processing technology. Next, using the extracted access control controller identifier as the query key, a database query operation is performed to search the pre-stored network address mapping table to obtain the network address information uniquely corresponding to the access control controller identifier, such as the IP address of the target access control controller. Then, network data packets are encapsulated, with the access control certificate string to be sent as the core data content to be sent. Then, the packet encapsulation function of the network protocol stack is called to generate a control header containing fields such as the target address and source address based on the obtained network address information. This control header is added to the beginning of the access control certificate string, and together they are assembled into a complete network transmission data frame conforming to the TCP / IP protocol format. Then, through its network interface card, the assembled network transmission data frame is converted into an electrical or optical signal and sent to the connected TCP / IP communication network. Then, network devices such as routers and switches in the communication network read the target network address information from the control header of the network transmission data frame, and according to the internal routing table, forward the data frame hop-by-hop from the network segment where the central system is located to the network segment connected to the target access controller using packet switching technology, ultimately delivering it to the target access controller. Finally, it continuously monitors the network through its network interface. When it detects a network transmission data frame sent to it, it receives it into its internal buffer. The access controller's network driver parses the network transmission data frame, removes the outer control header, and extracts the internal authorization certificate string. Finally, it writes the authorization certificate string into its local non-volatile memory for later use in on-site verification.

[0084] For example, following the specific implementation of the previous step, firstly, a validity certificate representing A's right to open cabinet No. 3 from 9:00 to 17:00 is generated, the content of which is MDFENjM4QkIwNDk1MzA2NzUyRTAwM…; and the target access control identifier is parsed out as GC003; then, the address mapping table is queried to find that the device IP address corresponding to the identifier GC003 is 192.168.1.103; then, taking the validity certificate string as the core content, an entry specifying the target address as 192.168.1.103 and the source address as the source address is added to the beginning. The protocol header containing the central server's IP address is packaged into a complete data packet. This data packet is then sent to the archive's internal LAN. The switch in the LAN forwards the packet to the network port connected to the No. 3 intelligent filing cabinet based on the destination IP address 192.168.1.103 in the packet header. Finally, the access controller installed on the No. 3 cabinet receives this data packet, removes the outer protocol header, retrieves the certificate string MDFENjM4QkIwNDk1MzA2NzUyRTAwM…, and securely stores it in its own flash memory chip.

[0085] This step completes the targeted and reliable delivery of the access control certificate from the central system to the target access controller. Through identifier resolution and address lookup, the logical device identifier is converted into a physical network path. Through standard network protocol encapsulation and routing, it ensures that the data can be accurately delivered to the target device in complex network environments. By storing the certificate locally on the terminal device, the access control controller gains the ability to perform offline verification.

[0086] Step 104: Receive and parse the permission validity certificate. After the identity verification is successful, determine whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, perform the opening or closing operation of the door lock of the archive storage room.

[0087] Optionally, step 104 may specifically include: Step 1041: Read the permission validity certificate from the local non-volatile memory.

[0088] Step 1042: Apply the reverse processing rule corresponding to the second encoding rule to process the permission validity certificate, restore the printable character sequence in the permission validity certificate to a combined data block, and separate the combined data block into binary encoded data and additional verification data.

[0089] Step 1043: Use the pre-stored public encoding key to perform calculations on the binary encoded data to generate reference verification data, and compare the reference verification data with the additional verification data. When the reference verification data and the additional verification data are consistent, the permission validity certificate is determined to be complete and valid.

[0090] Optionally, step 1043 may specifically include the following steps: reading a pre-stored public coded key from the secure storage area of ​​the access controller; performing arithmetic processing on the public coded key and the binary coded data as input to generate reference verification data; extracting the additional verification data from the end of the combined data block according to a predetermined fixed length; comparing the reference verification data and the additional verification data element by element; and determining that the permission validity certificate is complete and valid when each corresponding element of the reference verification data and the additional verification data is the same.

[0091] Step 1044: After determining that the permission validity certificate is complete and valid, the reverse processing rule corresponding to the first encoding rule is applied to extract the operator identifier, the start date and end date of the allowed operation time window from the binary encoded data.

[0092] Step 1045: The operator identity information collected from the site is compared with the operator identifier. When the operator identity information collected from the site matches the operator identifier, the identity verification is deemed successful.

[0093] Step 1046: Obtain the current date and time, determine whether the current date and time are within the time range defined by the start date and time and end date and time, and generate a drive signal based on the determination result to control the electric door lock to perform an opening or closing operation.

[0094] In this step, the pre-stored public key refers to a specific piece of data, namely a public key, that is pre-securely stored in the access controller and paired with the central system's private key. It is used to perform specific mathematical operations on the binary encoded data to generate a piece of reference verification data.

[0095] Reference verification data refers to a segment of data generated at the access control controller by performing specific mathematical operations on the received binary encoded data using a pre-stored public coded key. This data is used to compare with additional verification data to determine whether the certificate has been tampered with.

[0096] A drive signal is a specific electrical signal, such as a high or low level, output by the access control controller to the connected electric door lock based on the final verification and judgment results. It is used to directly control the electromagnet or motor of the door lock to perform the physical action of opening or closing. It is generated by the output circuit of the access control controller based on the judgment results.

[0097] In this step, upon arrival at the target archive storage location, the access controller first reads the previously stored authorization certificate string from its local non-volatile memory. Next, the access controller applies the reverse processing rule corresponding to the second encoding rule to decode the authorization certificate string. If the second encoding rule is Base64 encoding, Base64 decoding is performed here, restoring the printable character sequence back to the original binary combined data block. Then, based on the known fixed length of the additional verification data, the controller extracts a corresponding length of data from the end of the combined data block as additional verification data, leaving the remaining part as binary encoded data. Then, the access controller performs certificate validity verification, reading the pre-stored public encoding key from its secure storage area. Using this key, it performs a verification operation corresponding to the central system's signature algorithm on the separated binary encoded data, generating a reference verification data. Simultaneously, it performs a strict bit-by-bit or byte-by-byte comparison between the generated reference verification data and the additional verification data extracted from the combined data block. Only when the two are completely identical does the controller determine that the authorization certificate is complete, valid, and has not been tampered with. After the access control certificate is deemed complete and valid, the access controller applies the reverse processing rule corresponding to the first encoding rule to decode the binary encoded data. If the first encoding rule is UTF-8 encoding, then UTF-8 decoding is performed here, restoring the binary encoded data to the original plaintext string. Following a pre-defined field order, key information is extracted from this plaintext string, including the operator's identifier, the start and end dates of the permitted operation window, and so on. Then, on-site identity verification is performed by collecting the operator's identity information, such as the card number obtained from swiping a card or fingerprint feature, using connected biometric devices like card readers or fingerprint scanners. This on-site identity information is compared with the operator's identifier extracted from the access control certificate. If the two match, the on-site personnel's identity verification is deemed successful. After successful authentication, the access controller reads the current precise date and time provided by its internal real-time clock module and compares this current date and time with the start and end date and time extracted from the certificate to determine whether the current time falls within the time window. Finally, based on the time determination result, its control circuit generates the corresponding drive signal. If the current time is within the allowed time window, a high-level drive signal is generated and sent to the electronic door lock to trigger the door lock to perform the opening operation. If the current time is not within the time window, a low-level signal or no signal is generated to keep the door lock in the closed state.

[0098] For example, following the specific implementation of the previous step, operator A first arrives at smart filing cabinet number 3 at 2 PM to retrieve a document. The access control controller on the cabinet reads the previously stored certificate string MDFENjM4QkIwNDk1MzA2NzUyRTAwM… from its flash memory. Next, it performs Base64 decoding to obtain a string of binary data, and extracts the signature portion from the end as additional verification data. Then, using a public key pre-stored in its chip, it performs signature verification on the remaining binary encoded data, generating reference verification data, which is compared with the extracted signature. The result is consistent, proving that the certificate was issued by the central system and has not been altered. Finally, it performs UTF-8 decoding on the binary encoded data to restore the string EMP1001|C|GC003|2024-05-27 09:00:00|2024-05-27 At 17:00:00, the system extracts employee ID EMP1001 and the permitted time of 9:00-17:00. Then, A swipes his employee card on the card reader in front of the cabinet door. The controller reads the card number as EMP1001, which matches the employee ID extracted from the certificate, thus verifying identity. Finally, A checks his clock, which reads 14:00, between 9:00 and 17:00. He then sends an opening current signal to the electronic lock, and with a click, the cabinet door unlocks.

[0099] This step integrates all these verification results through the access control controller, independently makes a decision on whether to open the door lock and executes it. This process does not rely on real-time network connectivity, which greatly improves the availability and response speed of the system. At the same time, the multi-verification mechanism ensures the security, accuracy and non-repudiation of access to the archives, and achieves the refined management goal of authorization only once, verification upon arrival and expiration.

[0100] Figure 2 This application provides a schematic diagram of the structure of an archive storage access control and permission management system based on TCP / IP communication, as shown below. Figure 2 As shown, the system includes: The receiving module 21 is used to receive file borrowing request information initiated from the file management terminal, wherein the file borrowing request information includes the target file number; Verification module 22 is used to verify whether the operation permission corresponding to the file borrowing request information is within a valid time period preset by the file administrator based on the file borrowing request information. When the verification is successful, a permission validity certificate is generated. Transmission module 23 is used to transmit the permission validity certificate to the access control controller associated with the physical storage location corresponding to the target file number via TCP / IP communication network; The execution module 24 is used to receive and parse the permission validity certificate. After the identity is verified, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs the opening or closing operation of the door lock of the archive storage room.

[0101] Figure 2 The aforementioned archive storage access control and permission management system based on TCP / IP communication can execute... Figure 1 The implementation principle and technical effects of the TCP / IP communication-based access control system for archive storage described in the illustrated embodiment will not be elaborated further. The specific methods by which each module and unit performs operations in the TCP / IP communication-based access control system for archive storage described in the above embodiments have been described in detail in the relevant embodiments of the method, and will not be elaborated upon here.

[0102] In one possible design, Figure 2 The illustrated embodiment of an archive storage access control and permission management system based on TCP / IP communication can be implemented as a computing device, such as... Figure 3 As shown, the computing device may include a storage component 31 and a processing component 32; The storage component 31 stores one or more computer instructions, wherein the one or more computer instructions are invoked and executed by the processing component 32.

[0103] The processing component 32 is used for the above Figure 1 The embodiment describes a method for managing access control permissions for an archive storage room based on TCP / IP communication.

[0104] The processing component 32 may include one or more processors to execute computer instructions to complete all or part of the steps in the above-described method. Alternatively, the processing component may be implemented as one or more application-specific integrated circuits (ASICs), digital signal processors (DSPs), digital signal processing devices (DSPDs), programmable logic devices (PLDs), field-programmable gate arrays (FPGAs), controllers, microcontrollers, microprocessors, or other electronic components to perform the above-described method.

[0105] Storage component 31 is configured to store various types of data to support operations at the terminal. The storage component can be implemented by any type of volatile or non-volatile storage device or a combination thereof, such as static random access memory (SRAM), electrically erasable programmable read-only memory (EEPROM), erasable programmable read-only memory (EPROM), programmable read-only memory (PROM), read-only memory (ROM), magnetic storage, flash memory, magnetic disk, or optical disk.

[0106] Of course, computing devices may also include other components, such as input / output interfaces, display components, communication components, etc.

[0107] Input / output interfaces provide interfaces between processing components and peripheral interface modules, which can be output devices, input devices, etc.

[0108] The communication components are configured to facilitate wired or wireless communication between computing devices and other devices.

[0109] The computing device can be a physical device or an elastic computing host provided by a cloud computing platform. In this case, the computing device can refer to a cloud server, and the aforementioned processing components, storage components, etc., can be basic server resources rented or purchased from the cloud computing platform.

[0110] This application also provides a computer storage medium storing a computer program, which, when executed by a computer, can perform the above-described functions. Figure 1 The illustrated embodiment presents a method for access control management of an archive storage room based on TCP / IP communication.

[0111] Those skilled in the art will clearly understand that, for the sake of convenience and brevity, the specific working processes of the systems, devices, and units described above can be referred to the corresponding processes in the foregoing method embodiments, and will not be repeated here.

[0112] The device embodiments described above are merely illustrative. The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple network units. Some or all of the modules can be selected to achieve the purpose of this embodiment according to actual needs. Those skilled in the art can understand and implement this without any creative effort.

[0113] Through the above description of the embodiments, those skilled in the art can clearly understand that each embodiment can be implemented by means of software plus necessary general-purpose hardware platforms, and of course, it can also be implemented by hardware. Based on this understanding, the above technical solutions, in essence or the part that contributes to the prior art, can be embodied in the form of a software product. This computer software product can be stored in a computer-readable storage medium, such as ROM / RAM, magnetic disk, optical disk, etc., and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute the methods described in the various embodiments or some parts of the embodiments.

[0114] Finally, it should be noted that the above embodiments are only used to illustrate the technical solutions of this application, and are not intended to limit them. Although this application has been described in detail with reference to the foregoing embodiments, those skilled in the art should understand that modifications can still be made to the technical solutions described in the foregoing embodiments, or equivalent substitutions can be made to some of the technical features. Such modifications or substitutions do not cause the essence of the corresponding technical solutions to deviate from the spirit and scope of the technical solutions of the embodiments of this application.

Claims

1. A method for access control and permission management of an archive storage room based on TCP / IP communication, characterized in that, include: Receive file borrowing request information initiated from the file management terminal, wherein the file borrowing request information includes the target file number; Based on the file borrowing request information, verify whether the operation permission corresponding to the file borrowing request information is within the valid time period preset by the file administrator. When the verification is successful, generate a permission validity certificate. The validity certificate of the access control is transmitted via TCP / IP communication network to the access controller associated with the physical storage location corresponding to the target file number; The system receives and parses the permission validity certificate. After successful identity verification, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs the opening or closing operation of the door lock of the archive storage room.

2. The access control method for archive storage rooms based on TCP / IP communication as described in claim 1, characterized in that, Receives a file borrowing request from the file management terminal. The file borrowing request includes the target file number and includes: On the human-computer interaction interface of the file management terminal, select a file item from the pre-stored file catalog list and extract the target file number corresponding to the file item; Based on the selected file entry and the corresponding target file number, initial request data is generated. The initial request data includes the target file number, the timestamp of the initial request data generation, and the operator identifier used when logging into the file management terminal. The initial request data is encrypted to obtain encrypted request data, and the encrypted request data is organized into a data packet according to predefined communication rules. The data packets are sent to the central system via a TCP / IP communication network, and the data packets are parsed according to the predefined communication rules to obtain encrypted data. The encrypted data is decoded to obtain the file borrowing request information.

3. The access control method for archive storage rooms based on TCP / IP communication according to claim 2, characterized in that, Based on the document borrowing request information, verify whether the operation permission corresponding to the document borrowing request information is within a valid time period preset by the document administrator. When the verification is successful, generate a permission validity certificate, including: Extract the target file number, operator identifier, and time stamp of when the file borrowing request information was generated from the file borrowing request information; Based on the target file number, search for the access control controller identifier corresponding to the target file number in the pre-stored file access control association; Based on the operator's identifier, query the permission rule base that is pre-set and stored by the file administrator to obtain the target file category associated with the operator's identifier and the fixed valid time period configured for the target file category. The fixed valid time period includes the start date and end date and time of the allowed operation. Determine whether the timestamp when the file borrowing request information is generated falls within the time range of the fixed valid time period, and determine whether the file category to which the target file number belongs is included in the target file category; When the timestamp falls within the fixed valid time period and the file category to which the target file number belongs is included, the verification is deemed successful. After the verification is passed, the allowed operation time window is calculated based on the start and end dates of the fixed valid time period; The operator identifier, the target file number, the access control controller identifier, and the permitted operation time window are combined to form an initial data packet, which is then encrypted and digitally signed to generate an authorization validity certificate.

4. The method for access control management of archive storage rooms based on TCP / IP communication according to claim 3, characterized in that, Determining whether the timestamp when the file borrowing request information is generated falls within the time range of the fixed valid time period, and determining whether the file category to which the target file number belongs is included in the target file category, includes: According to the preset field arrangement order, the operator identifier, the target file number, the access control controller identifier, and the start and end dates of the allowed operation time window are sequentially concatenated to form a plaintext string; The plaintext string is processed by applying a preset first encoding rule, converting each character in the plaintext string into a corresponding binary value sequence to obtain binary encoded data; The private coded key stored in the central system is invoked to perform operations on the binary coded data and generate additional verification data. The additional verification data is appended to the end of the binary encoded data to form a combined data block; The combined data block is processed by applying a preset second encoding rule, the binary data in the combined data block is segmented into segments of fixed length, each segment of binary data is mapped to a printable character in a predetermined character set, and all printable characters are arranged in order to generate an authorization validity certificate.

5. The method for access control management of archive storage rooms based on TCP / IP communication according to claim 1, characterized in that, Transmitting the authorization certificate via a TCP / IP communication network to the access control controller associated with the physical storage location corresponding to the target file number includes: Extract the exit control controller identifier from the permission validity certificate; Search the pre-stored network address mapping table for the network address information that uniquely corresponds to the access controller identifier; The authorization certificate is used as the core data content to be sent, and a control header containing the network address information is added to the header of the core data content to generate a network transmission data frame. The network transmission data frames are sent to the TCP / IP communication network through the network interface; The routing device in the TCP / IP communication network forwards the network transmission data frame to the access control controller specified by the access control controller identifier based on the network address information in the control header of the network transmission data frame. After the access control controller receives the network transmission data frame through the network interface, it removes the control header, extracts the permission validity certificate, and stores the permission validity certificate in the access control controller's local non-volatile memory.

6. The method for access control management of archive storage rooms based on TCP / IP communication according to claim 1, characterized in that, The system receives and parses the permission validity certificate. After successful identity verification, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs an opening or closing operation on the door lock of the archive storage room, including: Read the permission validity certificate from local non-volatile memory; The permission validity certificate is processed by applying the reverse processing rule corresponding to the second encoding rule, restoring the printable character sequence in the permission validity certificate into a combined data block, and separating the combined data block into binary encoded data and additional verification data; The pre-stored public encoding key is used to perform calculations on the binary encoded data to generate reference verification data. The reference verification data is then compared with the additional verification data. When the reference verification data and the additional verification data are consistent, the permission validity certificate is determined to be complete and valid. Once the permission validity certificate is determined to be complete and valid, the reverse processing rule corresponding to the first encoding rule is applied to extract the operator identifier, the start date and end date of the allowed operation time window from the binary encoded data. The operator's identity information collected on-site is compared with the operator's identifier. When the operator's identity information collected on-site matches the operator's identifier, the identity verification is deemed successful. The system obtains the current date and time, determines whether the current date and time are within the time range defined by the start date and time and end date and time, and generates a drive signal based on the determination result to control the electronic door lock to perform an opening or closing operation.

7. The method for access control management of archive storage rooms based on TCP / IP communication according to claim 6, characterized in that, The binary encoded data is processed using a pre-stored public key to generate reference verification data. This reference verification data is then compared with the additional verification data. If the reference verification data matches the additional verification data, the validity of the authorization certificate is determined to be complete and valid. Read the pre-stored public coded key from the secure storage area of ​​the access control controller, and use the public coded key and the binary coded data as input to perform calculations and generate reference verification data; The additional verification data is extracted from the end of the combined data block at a predetermined fixed length; The reference verification data and the additional verification data are compared element by element. When each corresponding element of the reference verification data and the additional verification data is the same, the permission validity certificate is determined to be complete and valid.

8. A permission management system for access control of an archive storage room based on TCP / IP communication, characterized in that, include: The receiving module is used to receive file borrowing request information initiated from the file management terminal, wherein the file borrowing request information includes the target file number; The verification module is used to verify whether the operation permission corresponding to the file borrowing request information is within a valid time period preset by the file administrator based on the file borrowing request information. When the verification is successful, a permission validity certificate is generated. The transmission module is used to transmit the authorization certificate via a TCP / IP communication network to the access controller associated with the physical storage location corresponding to the target file number; The execution module is used to receive and parse the permission validity certificate. After the identity is verified, it determines whether the current time is within the time window allowed by the permission validity certificate. Based on the determination result, it performs the opening or closing operation of the door lock of the archive storage room.

9. A computing device, characterized in that, It includes a processing component and a storage component; the storage component stores one or more computer instructions; the one or more computer instructions are invoked and executed by the processing component to implement the access control method for an archive storage room based on TCP / IP communication as described in any one of claims 1 to 7.

10. A computer storage medium, characterized in that, The system contains a computer program that, when executed by a computer, implements a method for managing access control permissions for an archive storage room based on TCP / IP communication, as described in any one of claims 1 to 7.