Data center centralized access control system for a platform
By generating a cryptic credential verification set in the centralized data center management platform and combining it with the access control delay ranging module and the pre-screening comparison module, the problem of credential verification being easily cracked in the centralized data center management scenario is solved, achieving more granular access control and enhanced security.
Patent Information
- Authority / Receiving Office
- CN · China
- Patent Type
- Applications(China)
- Current Assignee / Owner
- BEIJING BLUE SHUGUANG INFORMATION TECHNOLOGY CO LTD
- Filing Date
- 2026-04-14
- Publication Date
- 2026-06-19
AI Technical Summary
In centralized data center management scenarios, existing technologies make the credential verification chain vulnerable to attack, and the lack of ability to identify the source of credentials in access control means that correct logical permissions do not necessarily equate to genuine access behavior, resulting in insufficient security.
The system employs a pre-built credential management module to generate a set of obfuscated credentials. Combined with an access control delay ranging module and a pre-screening module, and through a hidden index checklist and an isolation verification and control module, it achieves multi-level verification of credentials and verification of physical propagation paths, thus forming fine-grained access decisions.
It enhances the ability to prevent credential detection and reverse engineering, reduces the scope of sensitive information flow in the link, improves the security and accuracy of access decisions, and reduces the probability of false access.
Smart Images

Figure CN122247731A_ABST
Abstract
Description
Technical Field
[0001] This invention relates to the field of access control technology, and in particular to an access control system for a centralized data center management platform. Background Technology
[0002] Access control technology mainly revolves around the identification, verification, and authorization of access behaviors to information systems, physical spaces, and various resources. Its core lies in constraining and protecting the resource usage process by confirming the identity of the access subject and managing access permissions in a refined manner.
[0003] Current technologies primarily focus on verifying identity information and permission records after an access request is initiated. While this operational model is generally applicable in typical office network environments, it reveals several shortcomings when placed in a centralized data center environment. Credential verification chains typically rely on clear credential correspondences, with a relatively direct mapping between verification records, permission records, and identity records. Once attackers gain access to some authentication information or log fragments, they can deduce the true credential's location based on these fixed relationships, resulting in a wide credential exposure surface and significant pressure on the static storage phase. Access confirmation often focuses on the logical identity layer. Once credentials are copied, transferred, or forwarded, as long as the content remains consistent, the verification chain can be breached to reach subsequent authorization stages. Risks such as remote relay impersonation, proxy access, and fake access are more difficult to identify at the entry point. While permission management emphasizes granularity, the judgment criteria mainly revolve around the correspondence between accounts, roles, and resources. It lacks sufficient ability to discern whether the same credential originates from a legitimate holding path or arrives at the control end via an abnormal access control interaction link, meaning that correct logical permissions do not necessarily equate to genuine access behavior. Therefore, improvements are needed. Summary of the Invention
[0004] The purpose of this invention is to overcome the shortcomings of existing technologies and propose an access control system for a centralized data center management platform.
[0005] To achieve the above objectives, the present invention adopts the following technical solution: The access control system of the data center centralized management platform includes: The management credential pre-construction module extracts the entered characters as the administrator's native character sequence; generates an interference sequence with the same length as the native character sequence; merges the native character sequence and all interference sequences into a plaintext set to be encoded; encrypts the plaintext set to be encoded to generate an obfuscated credential verification set; identifies the mapping items in the obfuscated credential verification set that belong to the native character sequence, and establishes a hidden index verification form. The access control delay ranging module extracts a ranging reference signal from the random bit stream generated by the data center access control program; sends the ranging reference signal to the hardware token receiver to extract the response return timestamp; calculates the signal round-trip time based on the response return timestamp and the departure timestamp; extracts the pre-programmed internal circuit transmission delay constant, and calculates the spatial communication span value in combination with the signal round-trip time value. The pre-screening module encrypts and generates an input credential hash based on the external authentication credential string received by the data center access control system; it then compares the input credential hash with each record in the obfuscated credential verification set to obtain the sequence identifier of the matching credential. The isolation verification and control module retrieves the trigger command based on the verification form, combines it with the hit credential sequence identifier, and obtains the sequence validity status; based on the spatial communication span value, it determines whether to send platform access authorization.
[0006] Preferably, the steps for obtaining the hidden index verification form are as follows: Based on the input characters output by the centralized management platform of the data center, the administrator's input content is extracted one by one according to the order of character writing, the position corresponding to each character is locked to form the administrator's original character sequence, and then interference characters are configured one by one according to the number of characters in the administrator's original character sequence to generate multiple interference sequences of the same length. The administrator's original character sequence and multiple interference sequences are written into a unified encoding queue one by one according to the preset insertion rules to form a plaintext set to be encoded. Read all character positions of each plaintext in the plaintext set to be encoded item by item, write the first part of the preset salt string at the beginning of each plaintext, write the second part of the preset salt string at the end of each plaintext, output the corresponding obfuscated hash content continuously according to the character position order, and then write the obfuscated hash content corresponding to each plaintext item into the verification array column by column according to the arrangement order of the plaintext set to be encoded to generate an obfuscated credential verification set. According to the column writing order of the obfuscated credential verification set, the source order of the column records is checked column by column to locate the column record corresponding to the administrator's original character sequence. The column sorting position number of the column record corresponding to the administrator's original character sequence in the obfuscated credential verification set is extracted, and then the column sorting position number is written into the independent storage area of the one-way communication verification node. A hidden index verification sheet is formed according to the correspondence between the column sorting position number and the independent storage location.
[0007] Preferably, the step of obtaining the signal round-trip time value is as follows: Based on the access control random bit stream generated by the data center access control program, the contents of each bit are read bit by bit according to the output bit order of the access control random bit stream. The target synchronization bit used for synchronization determination is locked. The output position and output timing of the target synchronization bit in the access control random bit stream are extracted. Then, the target synchronization bit is separated and written into the ranging trigger channel to form a ranging reference signal. The ranging reference signal is sent to the hardware token receiver. The departure timestamp of the target synchronization bit is recorded at the instant the ranging reference signal leaves the access control sending side. The response return timestamp corresponding to the target synchronization bit is recorded at the instant the hardware token receiver completes the response return. The time difference between the response return timestamp and the departure timestamp is then subtracted to generate the signal round-trip time value.
[0008] Preferably, the step of obtaining the spatial communication span value is as follows: The pre-programmed internal circuit transmission delay constant is retrieved, and the signal round-trip time value is reduced by the internal circuit transmission delay constant. The net propagation time after deduction is extracted, and then the net propagation time is divided into one-way spatial propagation time according to the round-trip signal path. The electromagnetic wave free space propagation speed constant is called to perform span conversion on the one-way spatial propagation time to obtain the spatial communication span value.
[0009] Preferably, the step of obtaining the input credential hash is as follows: Based on the external authentication credential string received by the data center access control system, the content of each character position is extracted one by one according to the character input order of the external authentication credential string. The arrangement position and character length information of each character position are recorded. Then, the preset salted string is inserted into the first, middle, and last character positions of the external authentication credential string according to the predetermined concatenation order. The concatenated continuous character content is mapped and transformed one by one. The corresponding hash record is generated according to the fixed output bit width to obtain the input credential hash item.
[0010] Preferably, the step of obtaining the hit credential sequence identifier is as follows: Retrieve all column records within the obfuscated credential verification set, read the hash content of each record column by column according to the column sorting order of the obfuscated credential verification set, check the hash content of each record against the output bit content of each output bit of the input credential hash item, count the consistency of the same position of all output bits in each column record, and lock the corresponding column record when the character content and arrangement position of all output bits are all consistent, and generate an absolutely consistent matching item. Read the column sorting position number corresponding to the absolutely consistent matching item within the obfuscated credential verification set, write the column sorting position number into the preset identifier encapsulation field, and then output the start position, end position, and check position corresponding to the column sorting position number in a fixed encapsulation order to form the hit credential position identifier.
[0011] Preferably, the step of obtaining the positional validity status is as follows: According to the verification sheet retrieval trigger command, the retrieval flag and injection flag in the verification sheet retrieval trigger command are parsed. The hit credential sequence identifier is written into the input port of the one-way data channel according to the transmission direction specified by the verification sheet retrieval trigger command. The hit credential sequence identifier is controlled to pass through the one-way data channel bit by bit and enter the isolation sandbox inside the one-way communication verification node. Then, the isolation sandbox extracts the column sorting sequence number from the hit credential sequence identifier. According to the column sorting sequence number, the corresponding record is located one by one in the hidden index verification sheet. The number content, number position, and number length of the column sorting sequence number are checked to see if they are completely consistent with the corresponding record in the hidden index verification sheet. If the number content, number position, and number length of the column sorting sequence number are all consistent, a true value flag is written. If any item of the column sorting sequence number is inconsistent, a negative value flag is written, thus obtaining the sequence validity status.
[0012] Preferably, the steps for obtaining the platform access authorization are as follows: The system retrieves the threshold value of the access control sensor boundary crossing threshold constant preset by the management system. It performs a dimensionless comparison between the spatial communication span value and the threshold value of the access control sensor boundary crossing threshold constant. It records the proximity marker when the spatial communication span value is less than the access control sensor boundary crossing threshold constant and the boundary crossing marker when the spatial communication span value is greater than or equal to the access control sensor boundary crossing threshold constant. Then, it writes the truth mark or negative mark in the positional legality status with the proximity mark or boundary crossing marker into the same judgment field and performs combined verification according to a predetermined judgment order. When the positional legality status is a truth mark and the proximity mark is valid, it writes a release mark. When the positional legality status is a negative mark or the boundary crossing marker is valid, it writes a blocking mark, thus forming the platform access release condition status. The system reads the release or blocking flag from the platform access release condition status. The isolation sandbox calls the dedicated out-of-band management channel according to the authorization output rule corresponding to the release flag, writes the access category flag, release direction flag, and execution timing flag to the access controller, combines them to form a complete authorization instruction, and sends the complete authorization instruction to the access controller. After receiving the complete authorization instruction, the access controller registers the release record and obtains the platform access release authorization.
[0013] Compared with the prior art, the advantages and positive effects of the present invention are as follows: In this invention, after the input characters are extracted into the administrator's original character sequence, a noise sequence of the same length is generated. The administrator's original character sequence and the noise sequence are then merged into the plaintext set to be encoded. The true source of the credential is dispersed across multiple candidate records. Even if an external observer accesses the verification record, it is difficult to directly locate the corresponding position of the true credential, thus reducing the risk of credential storage exposure. The plaintext set to be encoded is then mixed with salt to form an obfuscated credential verification set. The corresponding position of the mapping item belonging to the administrator's original character sequence is then independently written into the hidden index check sheet. The verification basis is split into two parts: the surface hash record and the isolated position index. Single-point leakage makes it difficult to directly piece together the complete authentication relationship, simultaneously enhancing the credential's anti-probing and anti-reverse engineering capabilities. When an external authentication credential string enters, only the input credential hash item is generated and pre-screening is completed. The hit result only outputs the hit credential position identifier. Subsequent verification stages no longer directly expose the original authentication content, thus compressing the flow range of sensitive information in the link and reducing the possibility of credential content being intercepted during repeated comparisons. In the random bit stream of the access control system, the target synchronization bit is extracted as a ranging reference signal. This signal, combined with the departure timestamp, response regression timestamp, internal circuit transmission delay constant, and spatial communication span value, constructs a distance constraint judgment. Access confirmation is no longer limited to character-level credential matching; it also incorporates verification of the physical propagation path. A distinguishable boundary is formed between near-field holding and remote forwarding, making it easier to intercept long-distance relays masquerading as access control links. After the credential sequence identifier is matched and the user enters the isolated area, a single-order validity judgment is performed by comparing it with the hidden index. This is further constrained by the spatial communication span value and the access control sensor's boundary crossing threshold constant. Access granting is based on the simultaneous fulfillment of three conditions: credential matching, valid sequence, and compliant spatial distance. This finer-grained access decision reduces the probability of false granting and improves security. Attached Figure Description
[0014] Figure 1 This is a schematic diagram of the principle of the present invention. Detailed Implementation
[0015] To make the objectives, technical solutions, and advantages of this invention clearer, the invention will be further described in detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative and not intended to limit the invention.
[0016] Please see Figure 1 The present invention provides a technical solution: the access control system of the centralized management platform for data centers includes: The pre-constructed management credential module extracts the entered characters as the administrator's native character sequence; generates an interference sequence with the same length as the native character sequence; merges the native character sequence with all interference sequences into a plaintext set to be encoded; encrypts the plaintext set to be encoded to generate a confused credential verification set; identifies the mapping items in the confused credential verification set that belong to the native character sequence, and establishes a hidden index verification form. The access control delay ranging module extracts the ranging reference signal from the random bit stream generated by the data center access control program; sends the ranging reference signal to the hardware token receiver to extract the response return timestamp; calculates the signal round-trip time based on the response return timestamp and the departure timestamp; extracts the pre-programmed internal circuit transmission delay constant, and calculates the spatial communication span value by combining it with the signal round-trip time value. The pre-screening module encrypts and generates an input credential hash based on the external authentication credential string received by the data center access control system; it then compares the input credential hash with each record in the obfuscated credential verification set to obtain the sequence identifier of the matching credential. The isolation verification and control module retrieves the trigger command based on the verification form, combines it with the hit credential sequence identifier, and obtains the sequence validity status; based on the spatial communication span value, it determines whether to send platform access authorization.
[0017] The steps to obtain the hidden index reconciliation form are as follows: Based on the input characters output by the centralized management platform of the data center, the administrator's input content is extracted one by one according to the order of character writing, the position corresponding to each character is locked to form the administrator's original character sequence, and then interference characters are configured one by one according to the number of characters in the administrator's original character sequence to generate multiple interference sequences of the same length. The administrator's original character sequence and multiple interference sequences are written into a unified encoding queue one by one according to the preset insertion rules to form a plaintext set to be encoded. Read all characters of each plaintext in the plaintext set to be encoded one by one, write the first part of the preset salt string at the beginning of each plaintext and the last part of the preset salt string at the end of each plaintext, output the corresponding obfuscated hash content continuously according to the character position order, and then write the obfuscated hash content corresponding to each plaintext into the verification array column by column according to the arrangement order of the plaintext set to be encoded to generate the obfuscated credential verification set. The column records are checked one by one according to the order in which they are written in the obfuscated credential verification set. The column records corresponding to the administrator's original character sequence are located, and the column sorting position number of the column records corresponding to the administrator's original character sequence in the obfuscated credential verification set is extracted. Then, the column sorting position number is written into the independent storage area of the one-way communication verification node. A hidden index verification sheet is formed according to the correspondence between the column sorting position number and the independent storage location.
[0018] Specifically, based on the characters entered from the centralized management platform of the data center, the administrator's input is extracted character by character in the order they were written, and the position of each character is locked to form the administrator's original character sequence. For example, if the extracted administrator's original character sequence is "Passw@rd123", its length is... The value is 11, and then the number of character positions is determined based on the administrator's original character sequence. Calculate the number of interference sequences to be generated, specifically set to... That is, to generate Next, from a predefined character pool containing uppercase and lowercase letters, numbers, and special symbols (e.g., characters 33 to 126 in the ASCII table), characters already included in the administrator's original character sequence (i.e., "P", "a", "s", "w", "@", "r", "d", "1", "2", "3") are removed. Using the remaining character set, a pseudo-random number generator randomly selects characters one by one to generate 120 interference sequences with the same length as the administrator's original character sequence, such as "AbcDef45678" and "zYxWvU@#$!%". Then, according to a preset insertion rule, the administrator's original character sequence and the 120 interference sequences, totaling 121 items, are written into a unified encoding queue. This insertion rule is based on a linear congruence generator seeded by the current system's millisecond-level timestamp, and the calculation formula is... ,in, The current pseudo-random value, The multiplier factor is set to 1664525. As an increment, it is set to 1013904223. For the modulus, set to The formula generates an integer between 0 and 120, which is the insertion index of the administrator's original character sequence in the unified encoding queue. The remaining positions are filled with 120 interference sequences in sequence to form the plaintext set to be encoded.
[0019] The entire character content of each plaintext item in the plaintext set to be encoded is read item by item. A pre-defined salted string is written as the first character of each plaintext item, and the pre-defined salted string is written as the last character of each plaintext item. This pre-defined salted string is a fixed string generated during system initialization by collecting information such as hardware device serial number, system startup time, and network MAC address, and then performing a SHA-512 hash operation on the first 64 characters. For example, "KqV5...H9jP" has its first 64 characters defined as characters 1 to 32 (i.e., "KqV5...") and its last 64 characters defined as characters 33 to 64 (i.e., "...H9jP"). For each plaintext item in the plaintext set to be encoded... Concatenate them to form a string to be hashed. Its structure is the first character + The string is followed by a new character, and then the SHA-256 hash algorithm is used to process each concatenated string. The calculation generates a 256-bit hash value, which is then represented as a 64-bit hexadecimal string. This process does not transform the plaintext characters in any way; it directly performs salting and hash calculation, thereby continuously outputting the corresponding obfuscated hash content. Finally, the obfuscated hash content corresponding to each plaintext item is written as a separate column into a two-dimensional verification matrix, strictly following its order in the plaintext set to be encoded. For example, the hash value of the first plaintext item in the plaintext set to be encoded becomes the first column of the verification matrix, the second item becomes the second column, and so on, until the hash values of all 121 plaintext items are written, generating an obfuscated credential verification set.
[0020] Following the column writing order of the obfuscated credential verification set, the insertion position index of the administrator's original character sequence, calculated and recorded by the linear congruence generator during the step of generating the plaintext set to be encoded, is retrieved. This index uniquely locates the corresponding column record of the administrator's original character sequence in the obfuscated credential verification set. Without needing to check or compare content column by column, this insertion position index is directly extracted as the column sorting sequence number. For example, if the previously calculated insertion position index is 58, then the column sorting sequence number is 58. Next, this column sorting sequence number (i.e., 58) is written to an independent storage area of a physically isolated unidirectional communication verification node via a unidirectional data transmission channel, such as a data diode. This independent storage area is a block within the node that uses write... Non-volatile memory using Read Once Many (WORM) technology ensures that data cannot be tampered with or overwritten after being written. After the write operation is completed, the internal logic of the node binds the specific memory address storing the column sorting index (e.g., address 0x1C8F00E4) with a fixed internal query identifier (e.g., "VALID_INDEX_CHECK"). This binding relationship constitutes a hidden index check sheet. When the external system performs subsequent verification, it can only provide the node with a number to be verified and the query identifier. After comparing internally, the node only returns a Boolean state of "match" or "inconsistent" without revealing the real number value or its storage address, thus forming a hidden index check sheet.
[0021] The steps to obtain the signal round-trip time value are as follows: Based on the access control random bit stream generated by the data center access control program, the contents of each bit are read bit by bit according to the output bit order of the access control random bit stream. The target synchronization bit used for synchronization determination is locked. The output position and output timing of the target synchronization bit in the access control random bit stream are extracted. Then, the target synchronization bit is separated and written into the ranging trigger channel to form a ranging reference signal. The ranging reference signal is sent to the hardware token receiver. The departure timestamp of the target synchronization bit is recorded at the instant the ranging reference signal leaves the access control sending side. The response return timestamp corresponding to the target synchronization bit is recorded at the instant the hardware token receiver completes the response return. The time difference between the response return timestamp and the departure timestamp is then subtracted to generate the signal round-trip time value.
[0022] Specifically, based on the access control random bit stream generated by the data center access control program, each bit is read sequentially according to the output bit order of the access control random bit stream. This access control random bit stream is generated in real time based on thermal noise by a hardware true random number generator (TRNG) connected to the access controller, with a rate of 1 Mbps. The target synchronization bit used for synchronization determination is locked. The locking rule is to search for the first occurrence of a specific 4-bit pattern in the bit stream. This pattern is preset to "1011". During the bit-by-bit reading process, a 4-bit sliding window is maintained. When the window content matches "1011", the last bit "1" in the window is locked as the target synchronization bit. Then, the output position of the target synchronization bit in the entire access control random bit stream (e.g., the 258th bit) and its precise output timing (obtained by reading a nanosecond-level high-precision system clock synchronized with the bit stream) are extracted. Finally, the logic value "1" of the target synchronization bit is converted into a standard 3.3V. A TTL level pulse with a fixed pulse width of 50 nanoseconds is output directly to a dedicated general purpose input / output (GPIO) pin without any encoding or modulation. This pin is defined as a ranging trigger channel, thus forming a clear, instantaneous, and easily detectable ranging reference signal.
[0023] The ranging reference signal is sent to the hardware token receiver. Based on the instantaneous point at which the leading edge of the voltage pulse of the ranging reference signal leaves the GPIO pin on the access control transmitter side, the exit timestamp of the target synchronization bit is captured and recorded by the high-precision clock inside the access control controller. The hardware token's receiver continuously monitors its corresponding receive pin. Once it detects a voltage transition from low (0V) to high (3.3V), the microcontroller inside the hardware token immediately generates a response signal. This response signal is the inversion of the received bit, i.e., generating a 0V level pulse corresponding to a logic "0", and is immediately transmitted back through its own transmitting circuit. After receiving this returning 0V level pulse, the access controller's receiving circuit also captures and records the response return timestamp corresponding to the target synchronization bit at the instant the signal's leading edge occurs. Then, time difference deduction is applied to the response regression timestamp and exit timestamp, calculated using the following formula: ,in, It is the round-trip time of the signal. It is a response to the regression timestamp. It is the departure timestamp. For example, if the recorded departure timestamp is 1577836800.123456789 seconds and the response regression timestamp is 1577836800.123456854 seconds, then the calculated signal round-trip time is 65 nanoseconds, and the signal round-trip time value is generated.
[0024] The steps for obtaining the space communication span value are as follows: The pre-programmed internal circuit transmission delay constant is retrieved, and the signal round-trip time is deducted from the internal circuit transmission delay constant. The net propagation time after deduction is extracted, and then the net propagation time is divided into one-way spatial propagation time according to the round-trip signal path. The electromagnetic wave free space propagation speed constant is called to convert the one-way spatial propagation time into a span value to obtain the spatial communication span value.
[0025] Specifically, the internal circuit transmission delay constant is retrieved from the non-volatile memory (e.g., EEPROM) pre-programmed into the access controller and hardware token. This constant is measured during the equipment's factory calibration phase. The specific method involves placing the access controller and the hardware token's antennas close together (physical distance close to zero), performing 1000 round-trip distance measurements, and recording 1000 signal round-trip time values. After removing the maximum and minimum values, the average of the remaining 998 values is calculated. This average value is the internal circuit transmission delay constant; for example, a measured value of 42 nanoseconds. Then, the signal round-trip time value calculated in the previous process... Subtracting the internal circuit transmission delay constant Extract the net propagation time after deduction. , calculated as ,For example Next, the net propagation time will be... Dividing the signal path into two parts, such as the round-trip signal path, yields the one-way space propagation time. ,Right now Finally, the speed constant of electromagnetic waves in free space is invoked. Its value is meters per second (m / s) is used to convert the time taken for one-way spatial propagation across distances. The calculation formula is as follows: in, This represents the final spatial communication span value. It is the speed constant of electromagnetic wave propagation in free space. This is the time required for one-way space propagation, obtained by substituting the numerical values. Meters are used to obtain the spatial communication span value.
[0026] The steps to obtain the input credential hash are as follows: Based on the external authentication credential string received by the data center access control system, the content of each character position is extracted one by one according to the character input order of the external authentication credential string. The arrangement position and character length information of each character position are recorded. Then, the preset salted string is inserted into the first, middle, and last character positions of the external authentication credential string according to the predetermined concatenation order. The concatenated continuous character content is mapped and transformed one by one. The corresponding hash record is generated according to the fixed output bit width to obtain the input credential hash item.
[0027] Specifically, based on the external authentication credential string received by the data center access control system, the content of each character position is extracted sequentially according to the character input order of the external authentication credential string, and the arrangement position and character length information of each character position are recorded. For example, for the input "Passw@rd123", its length is recorded as 11. Then, the 64-bit preset salted string "KqV5...H9jP" generated earlier is inserted into the external authentication credential string according to the predetermined concatenation order. The concatenation order is as follows: the first to 32 characters of the salted string ("KqV5...") are inserted before the first character position of the credential string; the 33rd to 64th characters of the salted string ("...H9jP") are inserted after the last character position of the credential string, forming a concatenated continuous character content, namely "KqV The input string is: 5...”+“Passw@rd123”+“...H9jP”. Then, the concatenated string is mapped bit by bit using the SHA-256 hash algorithm. This algorithm converts input data of arbitrary length into a fixed-length 256-bit (32-byte) hash value, and then represents this hash value as 64 hexadecimal characters according to a fixed output bit width. For example, it yields “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”. This process does not involve inserting characters in the middle; it only salts the beginning and end. The resulting 64-bit hexadecimal string is the input credential hash.
[0028] The steps to obtain the hit credential sequence identifier are as follows: Retrieve all column records within the obfuscated credential verification set, read the hash content of each record column by column according to the column sorting order of the obfuscated credential verification set, check the hash content of each record against the output bits of the input credential hash item bit by bit, count the consistency of the same position of all output bits in each column record, lock the corresponding column record when the character content and arrangement position of all output bits are all consistent, and generate an absolutely consistent matching item. Read the column sorting position number corresponding to the absolutely consistent matching item within the obfuscated credential verification set, write the column sorting position number into the preset identifier encapsulation field, and then output the start position, end position, and check position corresponding to the column sorting position number in a fixed encapsulation order to form the matching credential position identifier.
[0029] Specifically, all 121 columns of records within the obfuscated credential verification set are retrieved. Following the column sorting order (from 1 to 121) of the obfuscated credential verification set, the 64-bit hexadecimal hash of each record is read column by column. The hash of each column is then compared bit by bit with the output bits of the input credential hash generated in the previous step (e.g., "5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8"). This comparison is a byte-level exact match, starting from the first character and comparing whether the characters in the same position of the two strings are complete. The algorithm iterates through all 121 records until the last character, counting the cases where the content and arrangement of all 64 output characters in each column are completely identical to the hash of the input credential. For example, when reading column 58 of the obfuscated credential verification set, if its hash content is found to be exactly the same as the hash of the input credential, then this column is considered a match. When the content and arrangement of all 64 characters of the two strings are completely identical, this column is locked as an absolutely consistent match. If only one column meets this condition after traversing all 121 records, then the absolutely consistent match is generated. If no column matches or there are more than one matching column, then the authentication fails and no absolutely consistent match is generated.
[0030] The algorithm reads the column sorting position number corresponding to the absolutely consistent match within the obfuscated credential verification set. For example, if column 58 is locked as an absolutely consistent match, its column sorting position number is 58. Then, this column sorting position number 58 is written into a preset identifier encapsulation field, which is a fixed-length 32-bit data structure. Next, based on this column sorting position number, the corresponding start bit, end bit, and check bit are generated. The start bit is fixed at 16 bits: "1111111111111111" (0xFFFF), and the end bit is fixed at 16 bits: "00000000000000000" (0x0000). The check bit is determined by performing a cyclic redundancy check (CRC-1) on the column sorting position number itself. The CRC checksum is calculated using the MODBUS algorithm. The specific calculation process is as follows: Set the initial 16-bit value to 0xFFFF. XOR each bit of the column sorting sequence number (e.g., 58, which is 00111010 in binary) with the contents of the CRC register. If the result is 1, shift the register one bit to the right and XOR it with the polynomial 0xA001. If the result is 0, shift the register one bit to the right. Repeat this process until all bits of the number have been processed. The final 16-bit register value is the checksum. For example, if the checksum is calculated to be 0xB7C4, then combine these four parts into a 64-bit data packet according to the fixed encapsulation order of the start bit, column sorting sequence number, checksum, and end bit to form the hit credential sequence identifier.
[0031] The steps to obtain the positional validity status are as follows: Based on the verification sheet retrieval trigger command, the retrieval flag and injection flag in the verification sheet retrieval trigger command are parsed. According to the transmission direction specified by the verification sheet retrieval trigger command, the hit credential sequence identifier is written to the input port of the one-way data channel. The hit credential sequence identifier is controlled to pass through the one-way data channel bit by bit and enter the isolation sandbox inside the one-way communication verification node. Then, the isolation sandbox extracts the column sorting sequence number from the hit credential sequence identifier. According to the column sorting sequence number, the corresponding record is located one by one in the hidden index verification sheet. It is checked whether the number content, number position, and number length of the column sorting sequence number are completely consistent with the corresponding record in the hidden index verification sheet. If the number content, number position, and number length of the column sorting sequence number are all consistent, a true value flag is written. If any item of the column sorting sequence number is inconsistent, a negative value flag is written, thus obtaining the sequence validity status.
[0032] Specifically, based on the verification slip retrieval trigger command, the command is parsed. This command is an 8-bit command word generated by the pre-screening module, where the retrieval flag is bit 0 (a value of 1 indicates retrieval) and the injection flag is bit 1 (a value of 1 indicates injection). When command word 0x03 (binary 00000011) is received, both the retrieval and injection flags are 1. Following the transmission direction specified by the command (from the external authentication side to the internal verification side), the 64-bit hit credential sequence identifier generated in the previous process is written through the input port of a unidirectional data channel based on optical coupling. This channel, at the physical layer, only allows optical signals to be transmitted from one end to the other. Then, the hit credential sequence identifier is controlled to pass through the unidirectional data channel bit by bit in a serial manner, entering an isolated sandbox inside the unidirectional communication verification node. This sandbox is a lightweight virtual machine whose network stack has been removed, retaining only access to the unidirectional data channel and internal storage. The isolated sandbox receives the complete 64 bits. After the data is processed, first check if the start bit is 0xFFFF and the end bit is 0x0000. Then, extract the middle 16-bit column sorting sequence number and re-execute CRC-16 / MODBUS check. Compare the calculation result with the check bit in the data packet. After all three are verified, locate the extracted column sorting sequence number (e.g., 58) in the previously generated hidden index checklist. This checklist is a key-value pair that binds memory address and number content. Check whether the number content (value 58), the memory address where it is stored (e.g., 0x1C8F00E4), and its data length (16 bits) of the extracted column sorting sequence number are completely consistent with the record in the hidden index checklist. If all three are consistent, write the true value "1" to a status register inside the sandbox. If any one is inconsistent (e.g., CRC check fails or number content does not match), write the negative value "0", and obtain the sequence validity status.
[0033] The steps to obtain platform access permission are as follows: The system retrieves the threshold value of the access control sensor boundary crossing threshold constant preset by the management system. It performs a dimensionless comparison between the spatial communication span value and the threshold value of the access control sensor boundary crossing threshold constant. It records the close-range marker when the spatial communication span value is less than the access control sensor boundary crossing threshold constant and the boundary crossing marker when the spatial communication span value is greater than or equal to the access control sensor boundary crossing threshold constant. Then, it writes the true or negative marker in the position sequence legality status with the close-range marker or boundary crossing marker into the same judgment field and performs combined verification according to the predetermined judgment order. When the position sequence legality status is true and the close-range marker is valid, it writes the release marker. When the position sequence legality status is negative or the boundary crossing marker is valid, it writes the blocking marker, thus forming the platform access release condition status. The system reads the release or blocking flag from the platform's access release condition status. The isolation sandbox calls the dedicated out-of-band management channel according to the authorization output rule corresponding to the release flag, writes the access category flag, release direction flag, and execution timing flag to the access controller, combines them to form a complete authorization instruction, and sends the complete authorization instruction to the access controller. After receiving the complete authorization instruction, the access controller registers the release record and obtains the platform access release authorization.
[0034] Specifically, the system retrieves the preset threshold value of the access control sensor boundary crossing threshold constant from the management system. This threshold value is set based on the physical environment and security policies of specific access control points in the data center. For example, for an access control system requiring personnel to be close enough to swipe a card or use a token, the normal interaction distance is within 0.5 meters. Considering potential signal fluctuations and a certain operational tolerance, the security boundary is set to 1.5 meters. Therefore, the access control sensor boundary crossing threshold constant is set to 1.5 meters. Then, the spatial communication span value calculated by the previously access control delay ranging module (e.g., 3.45 meters) is compared with the threshold value of the access control sensor boundary crossing threshold constant (1.5 meters) using the same dimensions. Since 3.45 meters is greater than 1.5 meters, a boundary crossing marker is recorded as a Boolean value "True," while a proximity marker is recorded as "False." Then, the above... The truth flag (e.g., "1") or negative flag (e.g., "0") in the bit sequence validity state obtained in the first step is written to different bits of the same 32-bit decision field along with the newly recorded proximity flag ("False") or out-of-bounds flag ("True"). For example, the bit sequence validity state is written to bit 0, and the proximity flag is written to bit 1. Then, a combined check is performed according to a predetermined decision order, which is a logical AND operation. That is, the allow flag "1" is written to bit 2 of the decision field only if the bit sequence validity state is the truth flag ("1") and the proximity flag is "True" (i.e., the out-of-bounds flag is "False"). In the current example, the bit sequence validity state is "1" but the proximity flag is "False". The result of the combined check is false, so the blocking flag "0" is written, forming the platform access allow condition state.
[0035] The system reads the allow or block flag from the platform access allow condition status. For example, in another scenario, the final platform access allow condition status might be allow flag "1". After the isolation sandbox detects this status, it calls a dedicated, physically isolated out-of-band management channel (e.g., an independent RS-485 bus) according to the authorization output rule corresponding to the allow flag to prepare to write an authorization command to the access controller. This rule defines the specific format and content of the command. First, an access category flag is generated, set to "0x01" based on administrator privileges, representing the highest management privilege. Then, an allow direction flag is generated, set to "0xAA" based on the access sensor location, representing allowed entry. Next, an execution timing flag is generated, obtaining the current NTP synchronized UTC timestamp and adding a 5-second validity period to form a 64-bit timing data. Finally, these three flags are combined into a 128-bit complete authorization command content, with the structure: 16-bit frame header (0x55AA) + 8-bit category (0x01) + 8-bit direction (0xAA) + 64-bit timing + The 32-bit CRC checksum and the isolation sandbox send this 128-bit complete authorization instruction to the access controller via the RS-485 bus. After receiving the instruction, the access controller first verifies its CRC checksum, then parses out the various flags. After confirming that the timing flags are within the validity period, it drives the door lock relay to act and immediately registers this access record in the local anti-tampering log, including the timestamp, access direction, and access category, thus obtaining platform access authorization.
Claims
1. An access control system for a data center centralized intake platform, the system comprising: The system includes: The management credential pre-construction module extracts the entered characters as the administrator's native character sequence; generates an interference sequence with the same length as the native character sequence; merges the native character sequence and all interference sequences into a plaintext set to be encoded; encrypts the plaintext set to be encoded to generate an obfuscated credential verification set; identifies the mapping items in the obfuscated credential verification set that belong to the native character sequence, and establishes a hidden index verification form. The access control delay ranging module extracts a ranging reference signal from the random bit stream generated by the data center access control program; sends the ranging reference signal to the hardware token receiver to extract the response return timestamp; calculates the signal round-trip time based on the response return timestamp and the departure timestamp; extracts the pre-programmed internal circuit transmission delay constant, and calculates the spatial communication span value in combination with the signal round-trip time value. The pre-screening module encrypts and generates an input credential hash based on the external authentication credential string received by the data center access control system; it then compares the input credential hash with each record in the obfuscated credential verification set to obtain the sequence identifier of the matching credential. The isolation verification and control module retrieves the trigger command based on the verification form, combines it with the hit credential sequence identifier, and obtains the sequence validity status; based on the spatial communication span value, it determines whether to send platform access authorization.
2. The access control system of a data center centralized pipe-in platform of claim 1, wherein, The steps for obtaining the hidden index verification form are as follows: Based on the input characters output by the centralized management platform of the data center, the administrator's input content is extracted one by one according to the order of character writing, the position corresponding to each character is locked to form the administrator's original character sequence, and then interference characters are configured one by one according to the number of characters in the administrator's original character sequence to generate multiple interference sequences of the same length. The administrator's original character sequence and multiple interference sequences are written into a unified encoding queue one by one according to the preset insertion rules to form a plaintext set to be encoded. Read all character positions of each plaintext in the plaintext set to be encoded item by item, write the first part of the preset salt string at the beginning of each plaintext, write the second part of the preset salt string at the end of each plaintext, output the corresponding obfuscated hash content continuously according to the character position order, and then write the obfuscated hash content corresponding to each plaintext item into the verification array column by column according to the arrangement order of the plaintext set to be encoded to generate an obfuscated credential verification set. According to the column writing order of the obfuscated credential verification set, the source order of the column records is checked column by column to locate the column record corresponding to the administrator's original character sequence. The column sorting position number of the column record corresponding to the administrator's original character sequence in the obfuscated credential verification set is extracted, and then the column sorting position number is written into the independent storage area of the one-way communication verification node. A hidden index verification sheet is formed according to the correspondence between the column sorting position number and the independent storage location.
3. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the signal round-trip time value are as follows: Based on the access control random bit stream generated by the data center access control program, the contents of each bit are read bit by bit according to the output bit order of the access control random bit stream. The target synchronization bit used for synchronization determination is locked. The output position and output timing of the target synchronization bit in the access control random bit stream are extracted. Then, the target synchronization bit is separated and written into the ranging trigger channel to form a ranging reference signal. The ranging reference signal is sent to the hardware token receiver. The departure timestamp of the target synchronization bit is recorded at the instant the ranging reference signal leaves the access control sending side. The response return timestamp corresponding to the target synchronization bit is recorded at the instant the hardware token receiver completes the response return. The time difference between the response return timestamp and the departure timestamp is then subtracted to generate the signal round-trip time value.
4. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the spatial communication span value are as follows: The pre-programmed internal circuit transmission delay constant is retrieved, and the signal round-trip time value is reduced by the internal circuit transmission delay constant. The net propagation time after deduction is extracted, and then the net propagation time is divided into one-way spatial propagation time according to the round-trip signal path. The electromagnetic wave free space propagation speed constant is called to perform span conversion on the one-way spatial propagation time to obtain the spatial communication span value.
5. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the input credential hash are as follows: Based on the external authentication credential string received by the data center access control system, the content of each character position is extracted one by one according to the character input order of the external authentication credential string. The arrangement position and character length information of each character position are recorded. Then, the preset salted string is inserted into the first, middle, and last character positions of the external authentication credential string according to the predetermined concatenation order. The concatenated continuous character content is mapped and transformed one by one. The corresponding hash record is generated according to the fixed output bit width to obtain the input credential hash item.
6. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the hit credential sequence identifier are as follows: Retrieve all column records within the obfuscated credential verification set, read the hash content of each record column by column according to the column sorting order of the obfuscated credential verification set, check the hash content of each record against the output bit content of each output bit of the input credential hash item, count the consistency of the same position of all output bits in each column record, and lock the corresponding column record when the character content and arrangement position of all output bits are all consistent, and generate an absolutely consistent matching item. Read the column sorting position number corresponding to the absolutely consistent matching item within the obfuscated credential verification set, write the column sorting position number into the preset identifier encapsulation field, and then output the start position, end position, and check position corresponding to the column sorting position number in a fixed encapsulation order to form the hit credential position identifier.
7. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the positional validity status are as follows: According to the verification sheet retrieval trigger command, the retrieval flag and injection flag in the verification sheet retrieval trigger command are parsed. The hit credential sequence identifier is written into the input port of the one-way data channel according to the transmission direction specified by the verification sheet retrieval trigger command. The hit credential sequence identifier is controlled to pass through the one-way data channel bit by bit and enter the isolation sandbox inside the one-way communication verification node. Then, the isolation sandbox extracts the column sorting sequence number from the hit credential sequence identifier. According to the column sorting sequence number, the corresponding record is located one by one in the hidden index verification sheet. The number content, number position, and number length of the column sorting sequence number are checked to see if they are completely consistent with the corresponding record in the hidden index verification sheet. If the number content, number position, and number length of the column sorting sequence number are all consistent, a true value flag is written. If any item of the column sorting sequence number is inconsistent, a negative value flag is written, thus obtaining the sequence validity status.
8. The access control system of the data center centralized management platform according to claim 1, characterized in that, The steps for obtaining the platform access authorization are as follows: The system retrieves the threshold value of the access control sensor boundary crossing threshold constant preset by the management system. It performs a dimensionless comparison between the spatial communication span value and the threshold value of the access control sensor boundary crossing threshold constant. It records the proximity marker when the spatial communication span value is less than the access control sensor boundary crossing threshold constant and the boundary crossing marker when the spatial communication span value is greater than or equal to the access control sensor boundary crossing threshold constant. Then, it writes the truth mark or negative mark in the positional legality status with the proximity mark or boundary crossing marker into the same judgment field and performs combined verification according to a predetermined judgment order. When the positional legality status is a truth mark and the proximity mark is valid, it writes a release mark. When the positional legality status is a negative mark or the boundary crossing marker is valid, it writes a blocking mark, thus forming the platform access release condition status. The system reads the release or blocking flag from the platform access release condition status. The isolation sandbox calls the dedicated out-of-band management channel according to the authorization output rule corresponding to the release flag, writes the access category flag, release direction flag, and execution timing flag to the access controller, combines them to form a complete authorization instruction, and sends the complete authorization instruction to the access controller. After receiving the complete authorization instruction, the access controller registers the release record and obtains the platform access release authorization.