An offline account permission management method and system

Abstract

This invention discloses an offline account permission management method and system, belonging to the field of computer technology. The method includes: a management center receiving input authorization information; encrypting the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file; deploying the authorization file to an offline client; when the offline client detects an account login trigger operation, searching for the authorization file locally; decrypting the authorization file to obtain authorization information based on the preset key managed in the offline client; and the offline client verifying the account information input for the trigger operation based on the authorization information to load the corresponding permissions. Through this method, secure and controllable account permission management can be achieved under the constraint of a completely offline client.

Description

Technical Field

[0001] This invention relates to the field of computer technology, and in particular to an offline account permission management method and system. Background Technology

[0002] In specific scenarios such as industrial control, military applications, and remote operations, software systems often need to run in offline environments without a stable network connection. Traditional account access management relies on online servers for real-time authentication and authorization, which completely fails in offline environments without a stable network connection. This leads to the following problems: Issue 1: Uncontrolled access control: Inability to effectively control user access on offline devices, posing a risk of unauthorized operations.

[0003] Problem 2: Weak security. If locally stored account passwords are in plaintext or simply encrypted, they are easily tampered with or cracked, creating security vulnerabilities.

[0004] Problem 3: Inconvenient deployment and updates: Each change of account permissions requires manual operation on each device, which is inefficient and prone to errors. Summary of the Invention

[0005] The purpose of this invention is to provide an offline account permission management method, device, and electronic device that can solve at least one problem existing in the prior art.

[0006] To solve the above-mentioned technical problems, the present invention provides the following technical solution: This invention provides an offline account permission management method, wherein the method includes: a management center receiving input authorization information, wherein the authorization information includes: account information, a password hash value corresponding to the account information, and a list of permissions granted to the account; The authorization information is encrypted using a preset key and encryption algorithm to generate an unreadable authorization file; Deploy the aforementioned authorization file to the offline client; When the offline client detects an account login trigger, it searches for the authorization file locally. Based on the preset key managed in the offline client, the authorization file is decrypted to obtain authorization information; The offline client verifies the account information entered for the triggered operation based on the authorization information in order to load the corresponding permissions.

[0007] Optionally, the step of encrypting the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file includes: The authorization information is serialized. The serialized authorization information is encrypted using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format.

[0008] Optionally, when the offline client detects an account login trigger operation, the step of searching for the authorization file locally includes: When the offline client detects an account login trigger operation, the client program checks whether a valid file of a specified format exists in a specified local directory; If it exists, the specified format file will be identified as the license file; If it does not exist, output a login failure message.

[0009] Optionally, the offline client verifies the account information input for the triggered operation based on the authorization information to load the corresponding permissions, including: The offline client compares the account information and password hash value input in the trigger operation to see if they match one by one with the account information and password hash value in the decrypted authorization information; If a match is found, determine whether the current time is within the validity period; wherein the validity period is included in the list of permissions granted to the account. If the validity period is valid, confirm that the user's identity verification is successful. Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

[0010] Optionally, the key managed in the offline client is embedded in the decryption program or stored in the device's security chip.

[0011] Optionally, the specified binary license file is a License file.

[0012] This invention also provides an offline account permission management system, which includes a management center and an offline client, wherein the management center includes: The receiving module is used to receive input authorization information, wherein the authorization information includes: account information, the password hash value corresponding to the account information, and a list of permissions granted to the account; An encryption module is used to encrypt the authorization information using a preset key and an encryption algorithm to generate an unreadable authorization file; The deployment module is used to deploy the authorization file to the offline client; The offline client includes: The search module is used to search for the authorization file locally when the offline client detects an account login trigger operation; The decryption module is used to decrypt the authorization file to obtain authorization information based on the preset key managed in the offline client; The permission granting module is used to verify the account information input for the triggering operation based on the authorization information in order to load the corresponding permissions.

[0013] Optionally, the encryption module is specifically used for: The authorization information is serialized. The serialized authorization information is encrypted using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format.

[0014] Optionally, the search module is specifically used for: When the offline client detects an account login trigger operation, the client program checks whether a valid file of a specified format exists in a specified local directory; If it exists, the specified format file will be identified as the license file; If it does not exist, output a login failure message.

[0015] Optionally, the permission granting module is specifically used for: Compare the account information and password hash value input in the trigger operation to see if they match one-to-one with the account information and password hash value in the decrypted authorization information; If a match is found, determine whether the current time is within the validity period; wherein the validity period is included in the list of permissions granted to the account. If the validity period is valid, confirm that the user's identity verification is successful. Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

[0016] This invention provides an electronic device, which includes a processor, a memory, and a program or instructions stored in the memory and executable on the processor. When the program or instructions are executed by the processor, they implement the steps of any of the above-described offline account permission management methods.

[0017] This invention provides a readable storage medium storing a program or instructions, which, when executed by a processor, implement the steps of any of the above-described offline account permission management methods.

[0018] The offline account permission management scheme provided in this invention involves the following steps: A management center receives input authorization information; the authorization information is encrypted using a preset key and encryption algorithm to generate an unreadable authorization file; the authorization file is deployed to an offline client; when the offline client detects an account login trigger operation, it searches for the authorization file locally; based on the preset key managed in the offline client, the authorization file is decrypted to obtain the authorization information; the offline client verifies the account information input for the trigger operation based on the authorization information to load the corresponding permissions. This invention provides several advantages: First, it enables secure and controllable account permission management even when the client is completely offline; second, locally stored account passwords are stored in hash value form, making them difficult to tamper with or crack, resulting in high password security; third, it eliminates the need for manual operation on each device every time account permissions change, as the encrypted information is updated and synchronized to the offline client simultaneously, improving processing efficiency. Attached Figure Description

[0019] Figure 1 This is a flowchart illustrating the steps of an offline account permission management method according to an embodiment of this application; Figure 2 This is a structural block diagram illustrating an offline account permission management device according to an embodiment of this application. Detailed Implementation

[0020] To make the technical problems, technical solutions and advantages of the present invention clearer, a detailed description will be given below in conjunction with the accompanying drawings and specific embodiments.

[0021] The offline account permission management scheme provided in this application will be described in detail below with reference to the accompanying drawings, through specific embodiments and application scenarios.

[0022] As attached Figure 1 As shown, the offline account permission management method of this application embodiment includes the following steps: Step 101: The management center receives the input authorization information.

[0023] The authorization information includes: account information, the hash value of the password corresponding to the account information, and a list of permissions granted to the account. The permission list may include, but is not limited to: permission sets and permission periods (also known as validity periods). The password corresponding to the account in the management center is stored in the form of a hash value, which prevents the true password from being decoded even if maliciously stolen, thus improving password security.

[0024] Step 102: Encrypt the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file.

[0025] This step is the encryption credential pre-setting process. In an environment with network connectivity, such as a management center, the authorization information is encrypted using the AES (Advanced Encryption Standard) encryption algorithm to generate an unreadable authorization file.

[0026] In one optional embodiment, the method for encrypting the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file can be as follows: serializing the authorization information; encrypting the serialized authorization information using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format. The specified format binary authorization file is a License file.

[0027] In this optional embodiment, the AES encryption algorithm is used to encrypt the authorization information. Compared with the existing technology of storing account passwords locally in plaintext or simple encryption, this method can increase the difficulty of being maliciously tampered with, copied or cracked, and improve the security of authorization information management.

[0028] Step 103: Deploy the authorization file to the offline client.

[0029] The encrypted authorization file generated by the management center is deployed to client devices that need to run offline. When a user logs in, the offline client decrypts the authorization file locally using a pre-shared AES key.

[0030] Keys managed in the offline client, such as AES keys, can be embedded in the decryption program or stored in the device's security chip. In practice, the generated binary license file in a specified format can be deployed to the offline client via USB flash drive or internal network branch.

[0031] The offline client also includes a secure storage area for storing encrypted authorization files.

[0032] Step 104: When the offline client detects an account login trigger, search for the authorization file locally.

[0033] The offline client device can be any suitable device, such as a host computer. The offline client deploys client application software, which, once launched, displays a user login interface. Users can perform account login operations on this interface, such as entering login information like username and password. The client application software deploys a local authorization file parsing module for parsing local authorization files; an AES decryption module with a built-in fixed AES key for decrypting the decrypted authorization file; a permission verification engine for verifying the permissions of the logged-in account; and a local system clock interface for obtaining the current local system time.

[0034] In one alternative embodiment, when an offline client detects an account login trigger, the method for searching the authorization file locally can be as follows: When the offline client detects an account login trigger, the client program checks whether a valid file of a specified format exists in the specified local directory. If it exists, the specified format file is identified as the authorization file; if it does not exist, a login failure message is output.

[0035] Step 105: Decrypt the authorization file to obtain authorization information based on the preset key managed in the offline client.

[0036] The offline client retrieves a preset key from the secure storage area and uses this key to decrypt the authorization file. For example, if the authorization file is generated by encrypting it with an AES key using the AES encryption algorithm, then in this step, the preset AES key is obtained, and the authorization file is parsed based on the AES key to obtain the authorization information. It should be noted that the encryption of the authorization information is not limited to the AES encryption algorithm; any appropriate and highly secure encryption algorithm can be used. This embodiment of the application does not impose specific restrictions on this.

[0037] Step 106: The offline client verifies the account information entered to trigger the operation based on the authorization information in order to load the corresponding permissions.

[0038] In one optional embodiment, the offline client authenticates the account information that triggered the operation input based on authorization information, and the method of loading the corresponding permissions may include the following sub-steps: Sub-step 1: The offline client compares the account information and password hash value entered to trigger the operation to see if they match one by one with the account information and password hash value in the decrypted authorization information; If a match is found, proceed to sub-step 2; otherwise, return a login failure message.

[0039] Sub-step 2: If a match is found, determine whether the current time is within the validity period; The list of permissions granted to an account includes the expiration date.

[0040] Sub-step 3: If the validity period is within the validity period, confirm that the user's identity verification is successful; If the validity period has expired, the user's permissions will be deemed invalid, and a login failure message will be returned.

[0041] Sub-step 4: Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

[0042] The engine dynamically configures the user interface based on the decrypted Permissions list, such as hiding or showing certain function buttons and menus, to achieve fine-grained offline permission control.

[0043] The offline account permission management method provided in this application involves a management center receiving input authorization information; encrypting the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file; deploying the authorization file to an offline client; when the offline client detects an account login trigger operation, searching for the authorization file locally; decrypting the authorization file to obtain authorization information based on the preset key managed in the offline client; and verifying the account information input for the trigger operation based on the authorization information to load the corresponding permissions. The method provided by this invention achieves secure and controllable account permission management under the constraint of a completely offline client; secondly, locally stored account passwords are stored in hash value form, making them difficult to tamper with or crack, resulting in high password security; and thirdly, it eliminates the need for manual operation on each device every time account permissions change, as the encryption is updated and synchronized to the offline client simultaneously, improving processing efficiency.

[0044] The following example illustrates the offline account permission management system provided in this application.

[0045] The offline account permission management system includes an authorization management center and an offline client. The authorization management center contains an online authorization file generation system, and the offline client has client application software installed on it. This client application software has local encrypted authorization verification capabilities.

[0046] The authorization management center is the processing center of the entire system. It runs in a secure networked environment and performs the following operations: Centralized management: Administrators can visually configure all accounts, permissions, and expiration dates through a web or desktop backend.

[0047] Encryption generation: The system calls the AES encryption module, uses the master key stored in the security keystore to encrypt and package the configured authorization information, and generates an unreadable authorization file, such as the license.lic file.

[0048] Distribution: The generated license.lic file can be distributed to the target offline client device via physical media such as USB flash drives or internal secure networks.

[0049] An exemplary authorization file generation process is as follows: The management center system receives authorization information input by the administrator, including: username, corresponding password hash value, a list of permissions granted to the account such as: operator, administrator, and authorization validity period Valid_From, Valid_To. The system uses a predefined, high-strength AES-256 key to serialize and encrypt this information, generating the final binary authorization file, such as license.lic. The encryption key used must be securely stored in the authorization management center.

[0050] The offline client is the execution terminal of the solution, running in a network-free environment. The core of the client application software installed on the offline client is a local authorization and verification system, including the following functional modules: File parsing entry point: After the software starts, its local license file parsing module will actively search for and read license files such as the license.lic file.

[0051] Security Decryption: The AES decryption module uses a key pre-embedded in the program or read from the device's security chip to decrypt the authorized file. This module is the core of security and requires code obfuscation and other hardening treatments during actual implementation.

[0052] Verification Engine: The permission verification engine is the core of the business logic. It coordinates the entire verification process: calling the local system clock interface to obtain the time; comparing the user input with the decrypted information; and performing password hash calculation and comparison.

[0053] Permission mapping: After successful verification, the engine dynamically configures the user interface based on the decrypted permission list, such as hiding or showing certain function buttons and menus, to achieve fine-grained offline permission control.

[0054] An exemplary offline client login verification process is as follows: When a user on the offline client launches a pre-installed application and enters their account and password, the system executes the following process: S1: File check: The client program checks whether a valid license.lic file exists in its specified directory, such as the program's root directory.

[0055] S2: Decryption and Deserialization: If the license.lic file exists, the client uses the same AES-256 key as the generator (which has been pre-compiled in the client program or stored in the device's secure area) to decrypt the license.lic file and obtain a plaintext set of license information (a list containing multiple license records).

[0056] The AES-256 key is pre-compiled in the client program or stored in the secure area of ​​the offline client.

[0057] S3: Multi-dimensional matching verification: In the decrypted authorization information list, search for a record that matches the "account name" entered by the user. If found, perform the following multi-dimensional verification matching: Credential verification: Calculate the hash value of the password entered by the user and compare it with the password hash value Password_Hash stored in the record.

[0058] Time validation: Obtain the client's current system time and determine whether it is within the authorization validity period defined in Valid_From and Valid_To in the record.

[0059] Device fingerprint verification: This adds verification of client device hardware information, binding authorization to a specific device. It should be noted that device fingerprint verification is an optional verification process and may not be performed in actual implementation.

[0060] S4: Authorization Decision: If all the above checks pass, the user account will successfully log in. The system will then load the corresponding operation menus and function permissions for the user based on the Permissions field (permission list field) in the record. If any check fails, a login failure message will be returned.

[0061] This specific example provides an offline account access management system that, under complete offline constraints, achieves near-online, secure, and controllable account access management. Security is primarily ensured in three aspects: First, the entire authorization file is AES encrypted, making it impossible to read or tamper with directly. Second, passwords are stored in hash form, so even if the file is cracked and the key is leaked, the original password cannot be directly obtained. Third, validity period verification relies on the client's local time; although this may be modified by the user, combining it with log auditing or binding it to secure hardware modules increases the difficulty of tampering.

[0062] Figure 2 The structural block diagram of the offline account permission management system in this embodiment of the application is shown.

[0063] The offline account permission management system provided in this application embodiment includes: a management center 201 and an offline client 202. The management center 201 includes the following functional modules: The receiving module 2011 is used to receive input authorization information, wherein the authorization information includes: account information, the password hash value corresponding to the account information, and a list of permissions granted to the account; The encryption module 2012 is used to encrypt the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file; Deployment module 2013 is used to deploy the license file to the offline client; The offline client includes: The search module 2014 is used to search for the authorization file locally when the offline client detects an account login trigger operation; The decryption module 2015 is used to decrypt the authorization file to obtain authorization information based on the preset key managed in the offline client; The permission granting module 2016 is used to authenticate the account information input for the triggering operation based on the authorization information in order to load the corresponding permissions.

[0064] Optionally, the encryption module is specifically used for: The authorization information is serialized. The serialized authorization information is encrypted using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format.

[0065] Optionally, the search module is specifically used for: When the offline client detects an account login trigger operation, the client program checks whether a valid file of a specified format exists in a specified local directory; If it exists, the specified format file will be identified as the license file; If it does not exist, output a login failure message.

[0066] Optionally, the permission granting module is specifically used for: Compare the account information and password hash value input in the trigger operation to see if they match one-to-one with the account information and password hash value in the decrypted authorization information; If a match is found, determine whether the current time is within the validity period; wherein the validity period is included in the list of permissions granted to the account. If the validity period is valid, confirm that the user's identity verification is successful. Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

[0067] The offline account permission management system provided in this application embodiment receives input authorization information in its management center; encrypts the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file; deploys the authorization file to the offline client; when the offline client detects an account login trigger operation, it searches for the authorization file locally; based on the preset key managed in the offline client, it decrypts the authorization file to obtain authorization information; the offline client verifies the account information input for the trigger operation based on the authorization information to load the corresponding permissions. The offline account permission management system provided in this embodiment of the invention can achieve secure and controllable account permission management under the constraint of the client being completely offline.

[0068] In the embodiments of this application Figure 2 The management center in the offline account permission management system shown can be a device with an operating system. This operating system can be Android, iOS, or other possible operating systems; this application embodiment does not specifically limit the specific operating system used.

[0069] The embodiments provided in this application Figure 2 The offline account permission management system shown can achieve Figure 1 The various processes implemented in the method implementation examples will not be described again here to avoid repetition.

[0070] Optionally, embodiments of this application also provide an electronic device, including a processor, a memory, and a program or instructions stored in the memory and executable on the processor. When the program or instructions are executed by the processor, they implement the processes executed by the management center in the aforementioned offline account permission management system and achieve the same technical effect. To avoid repetition, they will not be described again here.

[0071] It should be noted that the electronic device in this application embodiment includes the server described above.

[0072] The processor is the processor in the electronic device described in the above embodiments. The readable storage medium includes computer-readable storage media, such as computer read-only memory (ROM), random access memory (RAM), magnetic disk, or optical disk.

[0073] It should be noted that, in this document, the terms "comprising," "including," or any other variations thereof are intended to cover non-exclusive inclusion, such that a process, method, article, or apparatus that comprises a list of elements includes not only those elements but also other elements not expressly listed, or elements inherent to such a process, method, article, or apparatus. Unless otherwise specified, an element defined by the phrase "comprising one..." does not exclude the presence of other identical elements in the process, method, article, or apparatus that includes that element.

[0074] The above description represents the preferred embodiments of the present invention. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of the present invention, and these improvements and modifications should also be considered within the scope of protection of the present invention.

Claims

1. An offline account permission management method, characterized in that, The method includes: The management center receives the input authorization information, which includes: account information, the password hash value corresponding to the account information, and a list of permissions granted to the account; The authorization information is encrypted using a preset key and encryption algorithm to generate an unreadable authorization file; Deploy the license file to the offline client; When the offline client detects an account login trigger, it searches for the authorization file locally. Based on the preset key managed in the offline client, the authorization file is decrypted to obtain authorization information; The offline client verifies the account information entered for the triggered operation based on the authorization information in order to load the corresponding permissions.

2. The method according to claim 1, characterized in that, The step of encrypting the authorization information using a preset key and encryption algorithm to generate an unreadable authorization file includes: The authorization information is serialized. The serialized authorization information is encrypted using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format.

3. The method according to claim 2, characterized in that, When the offline client detects an account login trigger operation, the step of searching for the authorization file locally includes: When the offline client detects an account login trigger operation, the client program checks whether a valid file of a specified format exists in a specified local directory; If it exists, the specified format file will be identified as the license file; If it does not exist, output a login failure message.

4. The method according to claim 1, characterized in that, The offline client verifies the account information input for the triggered operation based on the authorization information to load the corresponding permissions, including the following steps: The offline client compares the account information and password hash value input in the trigger operation to see if they match one by one with the account information and password hash value in the decrypted authorization information; If a match is found, determine whether the current time is within the validity period; wherein the validity period is included in the list of permissions granted to the account. If the validity period is valid, confirm that the user's identity verification is successful. Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

5. The method according to claim 1, characterized in that, The keys managed in the offline client are either embedded in the decryption program or stored in the device's security chip.

6. The method according to claim 1, characterized in that, The specified format binary license file is a License file.

7. An offline account permission management system, the offline account permission management system comprising a management center and an offline client, characterized in that: The management center includes: The receiving module is used to receive input authorization information, wherein the authorization information includes: account information, the password hash value corresponding to the account information, and a list of permissions granted to the account; An encryption module is used to encrypt the authorization information using a preset key and an encryption algorithm to generate an unreadable authorization file; The deployment module is used to deploy the authorization file to the offline client; The offline client includes: The search module is used to search for the authorization file locally when the offline client detects an account login trigger operation; The decryption module is used to decrypt the authorization file to obtain authorization information based on the preset key managed in the offline client; The permission granting module is used to verify the account information input for the triggering operation based on the authorization information in order to load the corresponding permissions.

8. The system according to claim 7, characterized in that, The encryption module is specifically used for: The authorization information is serialized. The serialized authorization information is encrypted using the AES encryption algorithm and a preset AES key to generate a binary authorization file in a specified format.

9. The system according to claim 8, characterized in that, The search module is specifically used for: When the offline client detects an account login trigger operation, the client program checks whether a valid file of a specified format exists in a specified local directory; If it exists, the specified format file will be identified as the license file; If it does not exist, output a login failure message.

10. The system according to claim 7, characterized in that, The permission granting module is specifically used for: Compare the account information and password hash value input in the trigger operation to see if they match one-to-one with the account information and password hash value in the decrypted authorization information; If a match is found, determine whether the current time is within the validity period; wherein the validity period is included in the list of permissions granted to the account. If the validity period is valid, confirm that the user's identity verification is successful. Obtain the list of permissions granted to the account from the decrypted authorization information, and dynamically configure the user interface based on the permission list.

11. An electronic device, characterized in that, The electronic device includes a processor, a memory, and a program or instructions stored in the memory and executable on the processor, wherein the program or instructions are executed by the processor using the steps of any one of the offline account permission management methods of claims 1-6.

Images