Method and system for adding members to a door lock

By building a pure routing path and hierarchical verification mechanism for smart locks in an offline environment, the problem of secure remote injection of visitor permissions in smart locks in an offline environment is solved, and secure and efficient temporary permission management is achieved.

CN122369147APending Publication Date: 2026-07-10DESSMANN CHINA MACHINERY & ELECTRONICS

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Applications(China)
Current Assignee / Owner
DESSMANN CHINA MACHINERY & ELECTRONICS
Filing Date
2026-06-10
Publication Date
2026-07-10

AI Technical Summary

Technical Problem

Existing smart door locks cannot securely grant temporary permissions to visitors in offline environments, and suffer from problems such as opaque network address translation paths, vulnerability to man-in-the-middle attacks, and lack of a mechanism for verifying permission data in conjunction with local biometric features.

Method used

The visitor terminal establishes a local connection with the offline door lock, applies for an independent public IP address, constructs a pure routing path, the administrator remotely generates encrypted authorization commands, the relay node listens to and reconstructs the messages, and the door lock performs hierarchical verification and temporary permission injection to ensure secure comparison of visitor biometrics.

Benefits of technology

It enables secure remote injection of visitor permissions even without internet access, improving network environment adaptability and the security of the authorization process.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN122369147A_ABST
    Figure CN122369147A_ABST
Patent Text Reader

Abstract

This invention discloses a method and system for adding members to a door lock. The method includes: constructing a non-network address translation (NAT) traversal path from the visitor terminal to the door lock based on a local connection established between the visitor terminal and the offline door lock; generating an encrypted authorization instruction payload after the management terminal confirms the visitor's identity based on a video call and public network address exchange established between the visitor terminal and the management terminal; reconstructing a new message based on the encrypted instruction payload intercepted by the visitor terminal and sending it to the door lock along the original path; and decrypting and verifying the administrator's biometric features upon receiving the reconstructed message, comparing the visitor's biometric features in the message with biometric features collected in real time on-site, destroying the visitor's features in the message after successful comparison, and saving the biometric features collected on-site as a temporary unlock template. Using this invention, secure remote injection of visitor permissions can be achieved under conditions without internet access, improving adaptability to network environments and the security of the authorization process.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This invention belongs to the field of smart door lock technology, and in particular, it relates to a method and system for adding members to a door lock. Background Technology

[0002] Currently, member management and permission granting in smart locks heavily rely on a continuous network connection. Existing solutions typically require locks to have built-in Wi-Fi or cellular modules and constant access to a cloud server, with administrators granting permissions remotely via the cloud platform. However, in offline environments (such as basements, remote areas, or during network failures), locks cannot communicate with the cloud, making it difficult for administrators to securely grant temporary permissions to visitors. Some solutions attempt to use visitor terminals as relays, but these often employ Network Address Translation (NAT) pass-through or application-layer data forwarding, resulting in opaque routing paths, vulnerability to man-in-the-middle attacks, and a lack of mechanisms for verifying permission data fusion with local biometrics. Furthermore, traditional methods transmit the biometrics of administrators and visitors in plaintext or with weak encryption in the same channel, or have the lock directly store temporary characteristics, increasing the risk of feature leakage and unauthorized reuse. Summary of the Invention

[0003] The purpose of this invention is to provide a method and system for adding members to a door lock, in order to overcome the shortcomings of the prior art, and to enable secure remote injection of visitor permissions under conditions without Internet access, thereby improving adaptability to the network environment and the security of the authorization process.

[0004] One embodiment of this application provides a method for adding a member to a door lock, the method comprising: Offline door lock temporary networking and pure routing path construction: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal applies for an independent public network address from the operator network and configures the address and mobile hotspot certificate to the door lock. At the same time, the visitor terminal establishes a pure routing forwarding rule pointing to the public network address at the system bottom layer, and constructs a non-network address translation penetration path from the terminal to the door lock. Remote authorization command issuance by administrator: Based on the video call and public network address exchange established between the visitor terminal and the management terminal, after the management terminal confirms the visitor's identity, it generates an encrypted authorization command payload containing the administrator's biometrics and sends the command payload directly over the Internet with the public network address of the door lock as the destination address. Relay node bypass listening and blind assembly reconstruction: Based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as additional data to reconstruct and generate a new message, which is then sent to the door lock along the original path. Door lock hierarchical verification and temporary permission injection: After receiving the reconstructed message, the door lock decrypts it, extracts the administrator's biometric features, and verifies them using a first preset threshold. Then, it uses the first preset threshold to compare the visitor's biometric features in the message as a one-time comparison token with the biometric features collected in real time on-site. After the comparison is successful, the visitor feature token in the message is destroyed, and the biometric features collected on-site are saved as a temporary unlock template. During daily unlocking, the door lock compares the temporary unlock template with a second preset threshold greater than the first preset threshold, realizing secure remote injection of visitor permissions in an offline environment. Among them, the door lock, management terminal, and visitor terminal all have built-in face feature extraction models trained with feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints.

[0005] Optionally, the offline door lock temporary network and pure routing path construction includes: Local connection establishment: The visitor terminal establishes a connection with the offline door lock via Bluetooth. In the case of multiple door locks, the visitor terminal scans and establishes a Bluetooth connection with all door locks to be configured and counts the number of door locks. Independent public IP address application: Based on the number of door locks obtained by the visitor terminal via Bluetooth, apply to the operator's network for the corresponding number of independent public IPv4 addresses; Static network configuration and hotspot access: Based on the obtained public IPv4 address, subnet mask, and default gateway, the visitor terminal sends the mobile hotspot access certificate and the above network parameters as static configuration to each door lock via Bluetooth. After configuration, the door lock connects to the visitor terminal's mobile hotspot and starts listening on a fixed port. The door locks feed back their respective port status to the visitor terminal via Bluetooth. The visitor terminal confirms that the door lock is online by reading the neighbor table of the local hotspot network segment and completes the mapping relationship between the door lock ID and the public IPv4 address and port. Pure routing forwarding rule injection: Based on the routing table of the visitor terminal in the local operating system, specific routing rules are injected to specify that the outgoing interface of the packet with the destination address as the public IPv4 address is the mobile hotspot LAN interface, and a non-network address translation penetration path is established.

[0006] Optionally, the remote authorization command issued by the administrator includes: Video call and address exchange: The visitor terminal and the management terminal establish a video call through the cloud platform. The visitor terminal sends the list of public network addresses of the online door locks to the management terminal, and the two parties exchange their current public network communication addresses. Administrator identity verification: After visually verifying the visitor's identity via video call through the management terminal, configure temporary permission parameters on the management terminal; Encrypted instruction payload generation: Based on the facial feature vector extracted from the management terminal, an encrypted authorization instruction payload containing the administrator's facial feature vector and the number of valid days is generated using a digital envelope mechanism; Direct instruction transmission: Based on the encrypted authorization instruction payload, the management terminal uses the public network address of the door lock as the destination address, directly uses the encrypted instruction payload as the payload of the standard User Datagram Protocol (UDP) message, constructs a single-layer UDP message, and sends it directly over the Internet.

[0007] Optionally, the relay node bypass listening and blind assembly reconstruction includes: Message bypass interception: Based on the visitor terminal's underlying message capture mechanism in user space, listen for and intercept user datagram protocol messages that pass through before the standard routing forwarding of the operating system, with the destination address being the public network address of the door lock; Blind payload extraction: Based on the visitor terminal, the network layer protocol header and transport layer protocol header of the message are stripped, skipping the business semantic parsing, and only the encrypted instruction payload in the user datagram protocol payload is extracted and temporarily stored; Local biometric data collection: Based on the visitor's terminal, the local camera is used to perform liveness detection and extract the visitor's facial feature vector; Blind payload assembly and retransmission: Based on the temporarily stored original encrypted instruction payload and the locally extracted visitor facial feature vector, the application layer payload data structure is reconstructed. The structure includes, in sequence, the encrypted payload length field, the original encrypted instruction payload, the custom appended identifier, and the visitor facial feature vector. The visitor terminal re-encapsulates the network protocol header and transport layer protocol header for the reconstructed payload, generates a new message, and submits it to the operating system for transmission.

[0008] Optionally, the door lock hierarchical verification and temporary permission injection include: Administrator permission verification: Based on the door lock, read the length of the encrypted payload in the reconstructed message by a fixed offset, extract the ciphertext, use the local private key to decrypt and recover the symmetric session key, then decrypt the business payload to extract the administrator's facial feature vector, and compare it with the locally stored administrator template with a first preset threshold to confirm the legality of the authorization command; Visitor token on-site binding: After the door lock detects the custom appended identifier at the end of the message, it extracts the visitor's facial feature vector at the end as a one-time comparison token for temporary storage, and triggers the door lock's voice prompt to require the registered person to scan their face on-site. The door lock calls the local camera for liveness detection and extracts the on-site facial feature vector. Within a preset time, it compares the temporarily stored visitor token with the on-site collected features 1:1 with the first preset threshold. Local high-precision template overlay: Based on the comparison result, the visitor's facial feature vector in the door lock destruction message is used to save the on-site facial feature vector collected by the door lock's local camera as a temporary permission unlock template. This template is used for daily unlocking and is compared with a second preset threshold, where the second preset threshold is greater than the first preset threshold.

[0009] Optionally, the method also includes bulk visitor authorization: Local Area Network Feature Secure Aggregation: When the main visitor terminal activates a mobile hotspot, other visitor terminals in the same region connect to the hotspot and establish a secure channel within the local area network through the near-field discovery protocol. They then send their independently extracted facial features and identity identifiers to the main visitor terminal for aggregation. Batch command blind assembly: After the main visitor terminal intercepts the encrypted command payload containing batch entry markers issued by the management terminal, it appends its own characteristics and the aggregated list of accompanying personnel characteristics to the end of the original encrypted payload in a self-descriptive nested format without decryption, and reconstructs and generates a new message to be sent to the door lock. The self-descriptive nested format includes, in sequence: encrypted payload length field, original encrypted command payload, custom append identifier, batch feature identifier, main visitor face feature vector, number of accompanying personnel, and list of accompanying personnel face feature vectors. The order of items in the list is identity identifier length, identity identifier, feature vector length, and accompanying visitor face feature vector. Batch door lock verification: After decrypting the door lock and verifying the administrator's permissions, the custom appended identifier and batch feature identifier are parsed out. First, the on-site entity binding verification is performed on the main visitor. Then, the corresponding personnel are called one by one according to the number of accompanying personnel and the list. The features in the list are used as a one-time comparison token and compared with the on-site collected features for the first preset threshold. If the comparison is successful, the token is destroyed and the high-precision feature template collected locally by the door lock is saved. If the comparison fails or times out, the current item is skipped and the next person is prompted until the traversal is completed.

[0010] Optionally, the method further includes enhanced visual confirmation by administrator on a person-by-person basis: The main visitor terminal synthesizes the real-time video streams of each accompanying visitor into a picture-in-picture format and sends it to the management terminal. The administrator confirms and marks each visitor as approved in the synthesized screen. The main visitor terminal only includes the characteristics of the confirmed visitors in the message reconstruction.

[0011] Optionally, the method also includes tamper-proof multi-user batch authorization based on reverse pure routing within a local area network: Reverse pure routing path establishment: The main visitor terminal assigns an independent virtual LAN IP to the visitor terminal of the same party, creates a reverse traffic tunnel to intercept packets with the destination address as the lock and pulls them to the virtual network interface, and then forwards the packets with the source IP preserved as is through the original socket to skip the network address translation of the system kernel, thereby establishing a reverse pure routing path. Mapping table synchronization and blind assembly: The main visitor terminal synchronizes the binding mapping table of identity identifier and virtual LAN IP to the management terminal. The management terminal binds it to the video stream for display and packages the virtual LAN IP of the confirmed personnel into the encrypted command payload and sends it down. After intercepting the data, the main visitor terminal blindly assembles the data, only adding its own characteristics to generate a new message and sending it to the door lock. Whitelist generation and main visitor verification: After the door lock is decrypted and the permissions are verified, the mapping list is parsed out and temporarily stored as the physical source whitelist. After the main visitor is verified, a ready signaling is returned. Visitor direct transmission and bypass pass-through: The visitor terminal in the same industry sends a characteristic message with its own virtual LAN IP as the source address; the main visitor terminal intercepts the message and forwards it as a stateless binary stream through the hotspot outgoing interface to the door lock without resolution. Source IP strong verification: The door lock reads the source IP of the message and compares it with the whitelist. If they match, it queries the identity identifier, calls and performs on-site face recognition token comparison and saves the local high-precision template. If they do not match, the message is discarded.

[0012] Another embodiment of this application provides a system for adding members to a door lock, the system comprising: The module is used for temporary networking and pure routing path construction of offline door locks: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal applies for an independent public network address from the operator network and configures the address and mobile hotspot certificate to the door lock. At the same time, the visitor terminal establishes a pure routing forwarding rule pointing to the public network address at the system bottom layer, and constructs a non-network address translation penetration path from the terminal to the door lock. The distribution module is used to issue remote authorization commands to the administrator: based on the video call and public network address exchange established between the visitor terminal and the management terminal, after the management terminal confirms the visitor's identity, it generates an encrypted authorization command payload containing the administrator's biometrics and sends the command payload directly over the Internet with the public network address of the door lock as the destination address. The reconstruction module is used for relay node bypass listening and blind assembly reconstruction: based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as additional data to reconstruct and generate a new message, which is then sent to the door lock along the original path. The injection module is used for door lock hierarchical verification and temporary permission injection: After receiving the reconstructed message from the door lock, it decrypts and extracts the administrator's biometric features. After verification with a first preset threshold, the visitor's biometric features in the message are used as a one-time comparison token and compared with the biometric features collected in real time on site, using the first preset threshold. After the comparison is successful, the visitor feature token in the message is destroyed, and the biometric features collected on site are saved as a temporary unlock template. During daily unlocking, the door lock compares with the temporary unlock template with a second preset threshold greater than the first preset threshold, realizing secure remote injection of visitor permissions in offline environment. Among them, the door lock, management terminal and visitor terminal all have built-in face feature extraction models trained with feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints.

[0013] Another embodiment of this application provides a storage medium storing a computer program, wherein the computer program is configured to execute the method described in any of the preceding claims when running.

[0014] Another embodiment of this application provides an electronic device including a memory and a processor, wherein the memory stores a computer program and the processor is configured to run the computer program to perform the method described in any of the preceding claims.

[0015] Compared with existing technologies, the present invention provides a method for adding members to a door lock, which enables secure remote injection of visitor permissions under conditions without internet access, thereby improving adaptability to the network environment and the security of the authorization process. Attached Figure Description

[0016] Figure 1 Hardware structure block diagram of a computer terminal for a method of adding members to a door lock provided in an embodiment of the present invention; Figure 2 A flowchart illustrating a method for adding members to a door lock according to an embodiment of the present invention; Figure 3 This is a schematic diagram of a system for adding members to a door lock, provided as an embodiment of the present invention. Detailed Implementation

[0017] The embodiments described below with reference to the accompanying drawings are exemplary and are only used to explain the present invention, and should not be construed as limiting the present invention.

[0018] An elderly person has relatives visiting and will be staying for a while. The elderly person wants to grant the visitors temporary access (e.g., facial recognition) but doesn't know how to do it. Therefore, they hope their child (who also manages the lock but doesn't live with the elderly person) can remotely grant the visitors facial recognition access to the lock. The elderly person doesn't have internet access, and the lock is usually offline.

[0019] This invention first provides a method for adding members to a door lock. This method can be applied to electronic devices, such as computer terminals, specifically ordinary computers.

[0020] The following detailed explanation uses a computer terminal as an example. Figure 1 This is a hardware block diagram of a computer terminal for a method of adding members to a door lock, as provided in an embodiment of the present invention. Figure 1 As shown, the computer device includes a processor, memory, and network interface connected via a system bus, wherein the memory may include non-volatile storage media and internal memory.

[0021] See Figure 2 The present invention provides a method for adding members to a door lock, which may include the following steps: S201, Offline door lock temporary network setup and pure routing path construction: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal requests an independent public network address from the operator's network and configures this address and mobile hotspot credentials to the door lock. Simultaneously, the visitor terminal establishes a pure routing forwarding rule pointing to this public network address at the system's underlying layer, constructing a non-network address translation (NAT) traversal path from the terminal to the door lock; specifically, the offline door lock temporary network setup and pure routing path construction includes: Local connection establishment: The visitor terminal establishes a connection with the offline door lock via Bluetooth. In the case of multiple door locks, the visitor terminal scans and establishes a Bluetooth connection with all door locks to be configured and counts the number of door locks. Independent public IP address application: Based on the number of door locks obtained by the visitor terminal via Bluetooth, apply to the operator's network for the corresponding number of independent public IPv4 addresses; Static network configuration and hotspot access: Based on the obtained public IPv4 address, subnet mask, and default gateway, the visitor terminal sends the mobile hotspot access certificate and the above network parameters as static configuration to each door lock via Bluetooth. After configuration, the door lock connects to the visitor terminal's mobile hotspot and starts listening on a fixed port. The door locks feed back their respective port status to the visitor terminal via Bluetooth. The visitor terminal confirms that the door lock is online by reading the neighbor table of the local hotspot network segment and completes the mapping relationship between the door lock ID and the public IPv4 address and port. Pure routing forwarding rule injection: Based on the routing table of the visitor terminal in the local operating system, specific routing rules are injected to specify that the outgoing interface of the packet with the destination address as the public IPv4 address is the mobile hotspot LAN interface, and a non-network address translation penetration path is established.

[0022] S202, Remote Authorization Command Issuance by Administrator: Based on the video call and public network address exchange established between the visitor terminal and the management terminal, after confirming the visitor's identity, the management terminal generates an encrypted authorization command payload containing the administrator's biometrics and sends the command payload directly over the Internet with the door lock's public network address as the destination address; specifically, the issuance of the remote authorization command by administrator includes: Video call and address exchange: The visitor terminal and the management terminal establish a video call through the cloud platform. The visitor terminal sends the list of public network addresses of the online door locks to the management terminal, and the two parties exchange their current public network communication addresses. Administrator identity verification: After visually verifying the visitor's identity via video call through the management terminal, configure temporary permission parameters on the management terminal; Encrypted instruction payload generation: Based on the facial feature vector extracted from the management terminal, an encrypted authorization instruction payload containing the administrator's facial feature vector and the number of valid days is generated using a digital envelope mechanism; Direct instruction transmission: Based on the encrypted authorization instruction payload, the management terminal uses the public network address of the door lock as the destination address, directly uses the encrypted instruction payload as the payload of the standard User Datagram Protocol (UDP) message, constructs a single-layer UDP message, and sends it directly over the Internet.

[0023] S203, Relay Node Bypass Monitoring and Blind Assembly Reconstruction: Based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as appended data to reconstruct and generate a new message, which is then sent to the door lock along the original path; specifically, the relay node bypass monitoring and blind assembly reconstruction includes: Message bypass interception: Based on the visitor terminal's underlying message capture mechanism in user space, listen for and intercept user datagram protocol messages that pass through before the standard routing forwarding of the operating system, with the destination address being the public network address of the door lock; Blind payload extraction: Based on the visitor terminal, the network layer protocol header and transport layer protocol header of the message are stripped, skipping the business semantic parsing, and only the encrypted instruction payload in the user datagram protocol payload is extracted and temporarily stored; Local biometric data collection: Based on the visitor's terminal, the local camera is used to perform liveness detection and extract the visitor's facial feature vector; Blind payload assembly and retransmission: Based on the temporarily stored original encrypted instruction payload and the locally extracted visitor facial feature vector, the application layer payload data structure is reconstructed. The structure includes, in sequence, the encrypted payload length field, the original encrypted instruction payload, the custom appended identifier, and the visitor facial feature vector. The visitor terminal re-encapsulates the network protocol header and transport layer protocol header for the reconstructed payload, generates a new message, and submits it to the operating system for transmission.

[0024] S204, Door Lock Hierarchical Verification and Temporary Permission Injection: Based on the reconstructed message received by the door lock, the administrator's biometric features are decrypted and extracted. After verification using a first preset threshold, the visitor's biometric features in the message are compared with the biometric features collected in real-time using the first preset threshold as a one-time comparison token. Upon successful comparison, the visitor's feature token in the message is destroyed, and the biometric features collected in real-time are saved as a temporary unlock template. During daily unlocking, the door lock compares this temporary unlock template with a second preset threshold greater than the first preset threshold, achieving secure remote injection of visitor permissions in an offline environment. Specifically, the door lock, management terminal, and visitor terminal all have built-in face feature extraction models trained with feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and a preset false recognition rate constraint. Specifically, the door lock hierarchical verification and temporary permission injection includes: Administrator permission verification: Based on the door lock, read the length of the encrypted payload in the reconstructed message by a fixed offset, extract the ciphertext, use the local private key to decrypt and recover the symmetric session key, then decrypt the business payload to extract the administrator's facial feature vector, and compare it with the locally stored administrator template with a first preset threshold to confirm the legality of the authorization command; Visitor token on-site binding: After the door lock detects the custom appended identifier at the end of the message, it extracts the visitor's facial feature vector at the end as a one-time comparison token for temporary storage, and triggers the door lock's voice prompt to require the registered person to scan their face on-site. The door lock calls the local camera for liveness detection and extracts the on-site facial feature vector. Within a preset time, it compares the temporarily stored visitor token with the on-site collected features 1:1 with the first preset threshold. Local high-precision template overlay: Based on the comparison result, the visitor's facial feature vector in the door lock destruction message is used to save the on-site facial feature vector collected by the door lock's local camera as a temporary permission unlock template. This template is used for daily unlocking and is compared with a second preset threshold, where the second preset threshold is greater than the first preset threshold.

[0025] Furthermore, the method also includes bulk visitor authorization: Local Area Network Feature Secure Aggregation: When the main visitor terminal activates a mobile hotspot, other visitor terminals in the same region connect to the hotspot and establish a secure channel within the local area network through the near-field discovery protocol. They then send their independently extracted facial features and identity identifiers to the main visitor terminal for aggregation. Batch command blind assembly: After the main visitor terminal intercepts the encrypted command payload containing batch entry markers issued by the management terminal, it appends its own characteristics and the aggregated list of accompanying personnel characteristics to the end of the original encrypted payload in a self-descriptive nested format without decryption, and reconstructs and generates a new message to be sent to the door lock. The self-descriptive nested format includes, in sequence: encrypted payload length field, original encrypted command payload, custom append identifier, batch feature identifier, main visitor face feature vector, number of accompanying personnel, and list of accompanying personnel face feature vectors. The order of items in the list is identity identifier length, identity identifier, feature vector length, and accompanying visitor face feature vector. Batch door lock verification: After decrypting the door lock and verifying the administrator's permissions, the custom appended identifier and batch feature identifier are parsed out. First, the on-site entity binding verification is performed on the main visitor. Then, the corresponding personnel are called one by one according to the number of accompanying personnel and the list. The features in the list are used as a one-time comparison token and compared with the on-site collected features for the first preset threshold. If the comparison is successful, the token is destroyed and the high-precision feature template collected locally by the door lock is saved. If the comparison fails or times out, the current item is skipped and the next person is prompted until the traversal is completed.

[0026] Furthermore, the method also includes enhanced visual confirmation for each administrator: The main visitor terminal synthesizes the real-time video streams of each accompanying visitor into a picture-in-picture format and sends it to the management terminal. The administrator confirms and marks each visitor as approved in the synthesized screen. The main visitor terminal only includes the characteristics of the confirmed visitors in the message reconstruction.

[0027] Furthermore, the method also includes tamper-proof multi-user batch authorization based on reverse pure routing within a local area network: Reverse pure routing path establishment: The main visitor terminal assigns an independent virtual LAN IP to the visitor terminal of the same party, creates a reverse traffic tunnel to intercept packets with the destination address as the lock and pulls them to the virtual network interface, and then forwards the packets with the source IP preserved as is through the original socket to skip the network address translation of the system kernel, thereby establishing a reverse pure routing path. Mapping table synchronization and blind assembly: The main visitor terminal synchronizes the binding mapping table of identity identifier and virtual LAN IP to the management terminal. The management terminal binds it to the video stream for display and packages the virtual LAN IP of the confirmed personnel into the encrypted command payload and sends it down. After intercepting the data, the main visitor terminal blindly assembles the data, only adding its own characteristics to generate a new message and sending it to the door lock. Whitelist generation and main visitor verification: After the door lock is decrypted and the permissions are verified, the mapping list is parsed out and temporarily stored as the physical source whitelist. After the main visitor is verified, a ready signaling is returned. Visitor direct transmission and bypass pass-through: The visitor terminal in the same industry sends a characteristic message with its own virtual LAN IP as the source address; the main visitor terminal intercepts the message and forwards it as a stateless binary stream through the hotspot outgoing interface to the door lock without resolution. Source IP strong verification: The door lock reads the source IP of the message and compares it with the whitelist. If they match, it queries the identity identifier, calls and performs on-site face recognition token comparison and saves the local high-precision template. If they do not match, the message is discarded.

[0028] To address the challenge faced by elderly users and others unfamiliar with smart devices, who struggle to securely and conveniently grant temporary access to doors for unauthorized visitors in offline environments, a remote authorization method is needed. This method would allow administrators to directly verify visitor identities and grant authorization without exposing visitors to any of the administrator's sensitive unlocking information. Furthermore, it would maintain the door lock's original offline operation and security, thus providing a secure remote visitor access solution that requires no user intervention from the elderly. One technical solution is as follows: Prerequisites: 1. Both the administrator door lock APP and the visitor door lock APP (hereinafter referred to as the administrator or visitor APP) use their respective mobile phone numbers to complete cloud registration.

[0029] 2. The administrator's app is used to bind the elderly person's door lock. During the initial binding and initialization, the door lock's local camera captures and extracts the administrator's facial feature vector and saves it locally.

[0030] 3. The door lock, administrator app, and visitor app all have built-in facial feature extraction models trained with feature space alignment. It's important to note that due to differences in camera sensors and computing units across different physical devices, facial features extracted from different devices suffer some accuracy loss. They can only be used for lenient comparisons with higher tolerance and are not suitable for direct use as high-security local unlocking templates. Therefore, this solution uses remotely collected (non-door lock) facial features only for lenient threshold identity verification (token comparison), while the temporary template for unlocking is forced to use facial features collected locally by the door lock. This achieves a balance between high security and high pass rate in offline, cross-device scenarios. The door lock has a pre-set dual-threshold system for facial feature comparison: the first preset threshold (lenient threshold) is calibrated based on the cross-device feature similarity decay distribution curve to ensure a high pass rate during remote authorization; the second preset threshold (strict threshold) is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints to ensure high security during daily unlocking. The door lock automatically calls the corresponding threshold according to different operation stages. The facial feature extraction model outputs a fixed-dimensional feature vector (e.g., fixed at 512 dimensions).

[0031] 4. The mobile phone used by the visitor's app must have the capability to obtain an independent public IP address (including but not limited to: an independent public IPv4 address obtained through a specific operator's IoT private network APN, a global unicast address based on IPv6, or port mapping implemented through specific network configurations in a broadband environment with a public IP address). This solution will be explained using obtaining an independent public IPv4 address as an example.

[0032] 5. The door lock has a built-in lightweight application layer parsing module that does not parse the original command business plaintext, but supports reading the ciphertext length based on a fixed offset, as well as extended parsing rules for recognizing appended identifiers and extracting appended data.

[0033] Technical implementation process: 1. Upon arrival, the visitor launches the app. The visitor app first establishes a Bluetooth connection with the door locks. For important properties (such as villas) that may have two or more smart door locks, the visitor app scans and establishes Bluetooth connections with all locks to be configured, counting the number of locks. During the Bluetooth network configuration phase, the visitor app calls the underlying interface of the mobile operating system to request a corresponding number of independent public IPv4 addresses from the operator's network. After obtaining the public IPv4 addresses (e.g., IP_B, IP_C, etc.) allocated by the operator, the visitor app uses the mobile hotspot access credentials along with the corresponding public IPv4 address, subnet mask, and default gateway as static network configuration parameters, and sends them to each door lock via Bluetooth, recording the correspondence between the door lock ID and IP address. Simultaneously, the visitor app injects the same number of specific routing rules into the routing table of the local operating system, specifying that packets destined for these public IPv4 addresses have their outgoing interface as the visitor's mobile phone's hotspot LAN interface, thus establishing a pure routing forwarding path (non-NAT translation) at the system's underlying level. After receiving the above information, each door lock statically configures its network address to the assigned public IPv4 address and directly connects to the visitor's mobile hotspot based on the received hotspot credentials. Once connected to the hotspot and starting to listen on a preset fixed UDP port, each door lock sends its port status back to the visitor app via Bluetooth. The visitor app confirms the door lock is online by reading the local hotspot network segment's neighbor table (such as an ARP table) and completes the mapping relationship between the door lock ID, IP address, and port locally.

[0034] 2. The visitor app and the administrator app establish a video call through the cloud platform, simultaneously exchanging end-to-end signaling based on public network addresses: First, the visitor app sends the list of online door lock addresses (including the public IPv4 address and fixed port corresponding to each door lock ID, such as IP_B and port of door lock 1, IP_C and port of door lock 2, etc.) to the administrator app; second, the visitor app and the administrator app exchange their current public network communication addresses to ensure that both parties and the target door lock are in a purely public network topology environment. After visually confirming the visitor's identity through the video call, the administrator configures temporary permission parameters (such as the number of days of validity) on the app and approves the entry.

[0035] 3. The administrator app performs liveness detection and extracts its own facial features using the local phone camera, which serves as the identity credential for the operator. Subsequently, the administrator app uses a standard digital envelope mechanism (i.e., generating a random symmetric session key to encrypt business data, and then encrypting the symmetric key using the door lock's built-in asymmetric public key) to encrypt the "temporary permission entry authorization" command data (containing [administrator facial feature vector + validity days]) into a command payload. The administrator app directly uses this encrypted command payload as the payload of a standard UDP packet, constructing a single-layer UDP packet (the destination IP address of this packet is directly set to the door lock's public IPv4 address IP_B, the destination port is set to the door lock's fixed listening port; the source address is the administrator app's own public IP address), and sends it directly over the internet. Since all communication nodes are in a pure public network topology, this UDP packet is directly routed to the visitor's mobile phone's cellular network interface on the internet based on the destination IP_B.

[0036] 4. Since the destination address of this UDP packet (the public IP address of the door lock_B) is routed to the visitor's mobile phone on the operator's side, after the packet arrives at the visitor's mobile phone, according to the pure routing rules injected in step 1, its physical forwarding path will inevitably pass through the visitor's mobile phone's hotspot LAN interface. Under this pure routing topology, the visitor's APP performs bypass snooping and packet reconstruction to complete the secure injection of visitor characteristics without possessing the door lock's private key or decrypting (and being unable to decrypt) the plaintext instructions. The specific processing is as follows: (1) Message bypass interception and payload extraction: The visitor app, operating in user space, uses a low-level packet capture mechanism to listen for and intercept passing UDP packets before the operating system's standard routing and forwarding process. (Note that the destination address of the packet is the door lock; it merely passes through the visitor app during forwarding, not being sent directly to the visitor app, meaning the destination address is not the visitor app.) The visitor app directly strips the network layer IP header and transport layer UDP header of this single-layer packet, skipping any business semantic parsing, and only extracts and temporarily stores the encrypted instruction payload from its UDP payload.

[0037] (2) Local feature extraction: The visitor app uses the device's camera to perform liveness detection and extract the visitor's facial feature vector.

[0038] (3) Application layer payload reconstruction and transmission: Based on the temporarily stored original encrypted instruction payload and the locally extracted visitor facial feature vector, the visitor app reconstructs an application-layer payload data structure. The reconstructed payload structure is as follows: [Encrypted payload length field (fixed number of bytes, indicating the length of subsequent ciphertext)] + [Original encrypted instruction payload] + [Custom appended identifier] + [Visitor facial feature vector]. Subsequently, the visitor app re-encapsulates the new payload with a standard UDP header and IP header (the destination IP is still set to the door lock's public IP_B, and the destination port is a fixed listening port), generates a new UDP packet, and submits it to the operating system for transmission. Since the destination IP still matches the pure routing rules in step 1, the packet is directly routed to the door lock via the visitor's mobile hotspot network.

[0039] 5. After receiving the reconstructed message, the door lock performs the following processing: (1) Command area parsing and lenient threshold authorization verification (verification of administrators): The door lock reads the encrypted payload length at a fixed offset, truncates the ciphertext, first uses the local private key to decrypt and recover the symmetric session key, and then uses the symmetric session key to decrypt the business payload, extracts the administrator's facial feature vector, and compares it with the local administrator template using a first preset threshold (a lenient threshold used for remote feature comparison during the authorization phase to tolerate differences in cross-device collection, for example, a value between 0.70 and 0.78 can be selected) to confirm that the authorization command originated from a legitimate administrator.

[0040] (2) Tail-end area analysis and on-site anti-injection verification (visitor verification): The door lock continues parsing, and upon detecting the "append identifier," extracts the trailing visitor facial feature vector. Instead of using the visitor features directly collected by the visitor's app as an unlocking template, the door lock temporarily stores them in a secure memory area as a one-time comparison token (used for subsequent comparison with the visitor's face collected locally by the door lock). Next, the door lock immediately enters a physical binding waiting state, prompting the person registering to scan their face on-site via voice prompt. The door lock uses its local camera for liveness detection, collects and calculates the on-site facial feature vector, and compares the visitor's facial feature vector carried in the message with the locally collected facial feature vector within a preset time (e.g., 60 seconds) using a first preset threshold (a lenient threshold). A successful comparison means that the administrator-authorized visitor and the actual on-site operator are the same person, effectively preventing remote commands from being intercepted and used by unauthorized personnel in injection attacks. If on-site collection and comparison are not completed within the preset time, the door lock automatically destroys the temporarily stored features and exits the process.

[0041] (3) High-precision local template overlay: After successful binding, the door lock directly destroys the visitor's facial feature vector carried in the message, and instead saves the on-site facial feature vector, which is collected and extracted by the door lock's local camera with high precision, as a temporary permission unlock template.

[0042] (4) Enhanced security of tiered thresholds: By downgrading the visitor features collected by the mobile phone to a mechanism that compares tokens and covers local templates, a dual-threshold hierarchical security system is achieved. Specifically, the authorization verification stage uses a first preset threshold (relaxed threshold) to tolerate cross-device feature loss and ensure a high success rate of authorization between the mobile phone and the door lock's heterogeneous devices. The daily unlocking stage uses a second preset threshold (strict threshold, with a value greater than the relaxed threshold, used to compare the door lock's locally collected features during the daily unlocking stage; for example, a value between 0.85 and 0.92 can be selected). Since the unlocking template has been replaced with the high-precision features collected locally by the door lock, cross-device feature noise is eliminated.

[0043] 6. After the door lock completes the data entry or the process terminates, it sends the execution result (e.g., successful or failed entry) to the visitor app via the established hotspot connection. The visitor app then synchronizes the result to the administrator app via the cloud. Subsequently, the door lock proactively disconnects from the WiFi connection and public network listening port, resuming offline hibernation mode to eliminate the risk of network exposure.

[0044] 7. Further improvements: Allow multiple visitors to simultaneously enter temporary unlocking permissions.

[0045] If multiple visitors need to register temporary unlocking permissions, to avoid the tedious operation of video calling the administrator one by one, a batch authorization mode based on local area network feature-based secure aggregation and single packet reconstruction is adopted. The specific improvements are as follows: (1) Secure aggregation of local area network features: One primary visitor is selected on-site, and their mobile phone activates a mobile hotspot. Other accompanying visitors' apps connect to this hotspot, and a peer-to-peer secure channel is established within a pure local area network using a near-field discovery protocol (such as mDNS). Each visitor sends their independently extracted facial features and identity identifiers (such as their app nickname) to the primary visitor's app for local aggregation. During this process, the biometric data of all accompanying personnel remains within the local area network, ensuring security.

[0046] (2) Construction of public network direct connection topology (reusing the logic of step 1): After feature aggregation is completed, the main visitor APP establishes a connection with the door lock via Bluetooth and calls the underlying interface of the operating system to request an independent public IPv4 address (IP_B) for the door lock (taking one door lock as an example). After obtaining it, the IP_B and hotspot certificate are sent to the door lock via Bluetooth for static configuration. At the same time, a pure routing forwarding rule pointing to IP_B is injected into the underlying layer of the main visitor's mobile phone to guide the door lock to connect to the hotspot and start listening on a fixed UDP port.

[0047] (3) Administrator batch input command issuance (reuses logic of steps 2-3): The main visitor's app and the administrator's app establish a video call and exchange public IP addresses. The administrator confirms the main visitor's identity on the video screen and, after obtaining information about other personnel from the main visitor, agrees to their registration. Then, the administrator's app sends an encrypted payload containing a "batch registration flag" to the door lock (i.e., the payload contains: [administrator's facial feature vector + valid days + batch registration flag]). The administrator's app directly sends this payload as the payload of a standard UDP packet (destination IP is IP_B) to the door lock via the internet. This packet, according to pure routing rules, will first reach the hotspot interface of the main visitor's mobile phone.

[0048] (4) Bypass monitoring and batch structural blind assembly (reusing the logic of step 4): The main visitor app listens for and intercepts the UDP packet in user space through the underlying packet capture mechanism. Without decrypting the original instruction, it strips the standard IP / UDP header and extracts the encrypted payload for temporary storage. Then, it calls the local camera to extract the main visitor's own features and reconstructs the locally stored "accompanying personnel feature list" in a unified package. The visitor app generates a new UDP packet and sends it to the door lock. The reconstructed payload data structure follows the following order: [encrypted payload length field] + [original encrypted instruction payload] + [custom appended identifier] + [batch feature identifier] + [main visitor's face feature vector] + [number of accompanying personnel] + [list of accompanying personnel's face feature vectors (the order of items in the list is: identity identifier length + identity identifier + feature vector length + accompanying visitor's face feature vector)].

[0049] (5) Batch traversal of door locks and anti-injection verification (reusing the logic of step 5): After receiving the reconstruction message, the door lock first decrypts and verifies the administrator's privileges by a fixed offset (using a lenient threshold); then it detects the "custom appended identifier" and "batch feature identifier" and performs entity binding verification on the main visitor (using the main visitor's feature as a token and comparing it with the main visitor's facial recognition feature on site using a lenient threshold 1:1; after passing the comparison, the token is destroyed and a local high-precision feature template is saved).

[0050] After the primary visitor's verification is successful, the door lock enters the multi-person traversal binding process: the "Number of Accompanying Persons" field is read to obtain the total number N, and the traversal loop begins; for each item in the list, the identity identifier and facial feature vector are read, and the person corresponding to the identifier is called through voice announcement (e.g., "Please Zhang San stand in front of the door lock"); within a preset time, the facial feature vectors of the accompanying persons in the list are used as one-time comparison tokens and compared with the facial features collected on-site using a lenient threshold 1:1 comparison; if the comparison is successful, the comparison token is destroyed, and the on-site features collected locally by the door lock are saved as a temporary permission template (for daily strict threshold unlocking); if the comparison fails or the timeout occurs, the current item is skipped, and the next person is prompted by voice, until the traversal ends.

[0051] 8. Further improvements: Includes batch authorization for multiple users with visual confirmation from the administrator for each user.

[0052] In the improved solution of step 7, the administrator only confirmed the main visitor through video. The identification of other visitors relied on the main visitor's verbal account and data collection from the local area network, which poses a risk of proxy spoofing. Further improvements are made to the solution in step 7 as follows: (1) Local area network video aggregation and picture-in-picture synthesis: In a local area network (LAN) environment, each visitor app, in addition to sending its own facial feature vector, also sends a real-time video stream to the main visitor app via the LAN (e.g., through WebRTC). The main visitor app performs an application-layer video frame synthesis operation of "main screen (for the main visitor) + time-slice carousel picture-in-picture (for other visitors, carousel at preset time intervals)," and synchronously overlays the identity identifiers of other visitors in the picture-in-picture area. The synthesized video stream is then sent to the administrator app, allowing the administrator to perceive the entire scene in a single screen and confirm all authorized personnel one by one.

[0053] To eliminate lag during switching caused by multiple concurrent streams, the main visitor app dynamically distributes differentiated encoding parameters to each visitor app according to the carousel sequence: high bitrate and high resolution (e.g., 1080p) are requested for the currently focused visitor; medium bitrate (e.g., 720p) is requested in advance for the next visitor to warm up the decoder, and then high bitrate (e.g., 1080p) is requested before switching to focus; low bitrate maintenance frames (e.g., 360p with only I-frames) are requested for the remaining waiting queues. Simultaneously, the main visitor app continuously decodes the next stream in the background through a locally maintained circular pre-decoding buffer, enabling frame-level response by directly retrieving decoded frames from the buffer and sending them to the rendering pipeline during picture-in-picture switching.

[0054] (2) Adaptive encoding of ROI (Region of Interest) based on door lock computing power offloading: When the main visitor app detects uplink bandwidth congestion and local computing power saturation, it sends the low-frame-rate global analysis stream captured by the local camera to the door lock via the local area network. The door lock briefly enters enhanced mode, utilizing a local lightweight face detection network and a simple quality assessment algorithm to locate the face region and output quality assessment results, including but not limited to face region coordinates, sharpness score, illumination uniformity score, and suggested values ​​for adjusting the quantization parameters (QP) of the face and background regions. The door lock then sends the assessment result message containing these fields back to the main visitor app via the local area network. Based on this, the main visitor app dynamically adjusts encoding parameters, such as lowering the QP for the face region to improve sharpness and increasing the QP for the background region to reduce the bit rate, maximizing the subjective sharpness of the main image's face under extremely weak network conditions with minimal local area network signaling overhead.

[0055] (3) Confirm filtering and blind assembly: The administrator performs confirmation or rejection operations on the carousel of visitors in the composite screen. The main visitor's app only includes the feature vectors of visitors who are visually confirmed into the "accompanying personnel feature list" in step 7 for message reassembly; the feature data of personnel who fail to pass confirmation are directly destroyed locally on the main visitor's mobile phone. The finally reconstructed UDP message is sent to the door lock via a pure routing path for subsequent traversal verification.

[0056] 9. Further improvements: Anti-tampering multi-user batch authorization based on LAN reverse pure routing.

[0057] In the improved solution of step 7, the facial feature vectors of accompanying visitors need to be aggregated at the application layer of the main visitor's APP before being reassembled and sent. This essentially turns the main visitor's APP into a feature relay proxy, posing a risk of man-in-the-middle attacks where the main visitor maliciously tamperes with or replaces the biometric features of accompanying persons. The video verification method in step 8 can constrain the visual level, but it cannot guarantee the unforgeability of the physical origin of the underlying data packets. To eliminate this risk, further improvements are made to steps 7 and 8 as follows: (1) Virtual LAN IP address distribution and reverse pure routing forwarding path establishment: The main visitor's mobile phone activates a mobile hotspot, and the door lock and all accompanying visitor apps connect to this hotspot. The door lock continues to use the public IPv4 address (IP_B) obtained in step 1 as its unique IP address within the hotspot network. In an operating environment with underlying network control privileges, the main visitor app performs network topology configuration at the operating system level: through DHCP custom options or a system-level channel, it assigns an independent virtual LAN IP (such as 192.168.1.101, 192.168.1.102, etc.) to each other accompanying visitor app. The main visitor app calls a system-level network interface (such as a VPN service interface or a TUN virtual network card) to create a reverse routing tunnel on its local machine and configures local routing rules to forcibly intercept and redirect all cross-segment packets with the door lock's IP_B as the destination address within the LAN to the application layer processing plane of this virtual network interface. Thus, without modifying the accompanying visitor's own system routing table, it effectively achieves topology control by forcibly forwarding specified packets via the main visitor's mobile phone. Subsequently, within the application layer processing plane, the main visitor APP performs raw socket forwarding on packets entering through the virtual network interface, directly reading and preserving the source IP address in the packet IP header (i.e., the virtual LAN IP of each visitor in the same group), skipping the default NAT source address translation process of the operating system kernel, and establishing a pure routing forwarding path for reverse penetration within the local area network.

[0058] (2) Cross-network synchronization of mapping tables and blind assembly of instructions: After each visitor's app connects to the main visitor's mobile hotspot, it reports its temporary identity (such as the app nickname) to the main visitor's app via the local area network near-field channel. The main visitor's app then generates a "identity-virtual LAN IP" binding mapping table locally based on the virtual LAN IP assigned to each visitor. After establishing a cross-internet video call between the main visitor's app and the administrator's app, the binding mapping table is synchronized across the network to the administrator's app via an auxiliary data channel for the public network video call (such as WebRTC's DataChannel). Upon receiving the mapping table, the administrator's app strongly binds it to multiple picture-in-picture video streams at the UI level (i.e., displays the bound virtual LAN IP next to the corresponding person's video screen). After the administrator remotely visually confirms each person in the screen, the administrator app directly extracts the virtual LAN IPs of all confirmed individuals based on the locally bound mapping relationship. These IPs are then used as security attribute fields and packaged into an encrypted instruction payload containing a "batch entry flag" (the plaintext content of this payload is: [Administrator facial feature vector + valid days + batch entry flag + number of accompanying visitors N + accompanying visitor mapping list], where the accompanying visitor mapping list contains N consecutive mapping items, each with the structure: [virtual LAN IP length + virtual LAN IP + identity identifier length + identity identifier]). The administrator app then sends this payload directly over the internet as the payload of a standard UDP packet (destination IP is IP_B).

[0059] The main visitor APP intercepts the UDP packet in user mode through the underlying packet capture mechanism. Without decrypting the original instruction, it performs the same bypass listening and blind assembly operation as step 7: stripping the packet header to extract the encrypted payload, and adding the main visitor's own characteristics and batch structure identifier (it should be noted that no feature data of any fellow visitors is added here, because the main visitor APP does not collect and contact the feature data of fellow visitors; the facial features of fellow visitors will be sent directly to the door lock by each fellow visitor APP after receiving the ready signal in subsequent step 9 (5). At the application layer, a new UDP packet is actively constructed and generated (at this time, the payload content is: [encrypted payload length field] + [original encrypted instruction payload] + [custom append identifier] + [batch feature identifier] + [main visitor identity identifier length] + [main visitor identity identifier] + [main visitor facial feature vector length] + [main visitor facial feature vector]), and is directly sent to the door lock through the underlying physical hotspot outgoing interface (bypassing the inbound traction of the aforementioned virtual network interface). During this stage, the main visitor app only processes the appending of administrator instructions and does not access the characteristic data of fellow visitors.

[0060] (3) Door lock IP whitelist resolution and main visitor verification: After receiving the reconstruction message, the door lock decrypts and verifies administrator privileges by a fixed offset. It then parses the aforementioned list of accompanying visitors (containing the correspondence between virtual LAN IPs and identity identifiers), storing it temporarily in a secure memory area as a whitelist of physical sources for subsequent data reception and as the basis for identity-based calls. Next, the door lock performs entity binding verification on the primary visitor according to standard logic (using the primary visitor's remote characteristics as a token and comparing them 1:1 with the on-site primary visitor's facial recognition characteristics using a lenient threshold). After successful verification, the door lock returns a "Ready" signal to the primary visitor's app.

[0061] (4) Direct transmission from visitor to main visitor and bypass transmission from the application layer: After receiving the "Ready" signal from the door lock, the main visitor app sends a "Allow Sending Features" notification to all confirmed accompanying visitor apps via a local area network near-field channel (such as mDNS). Each accompanying visitor app directly constructs a UDP packet locally (the source IP of the packet is the virtual LAN IP assigned to the main visitor, and the destination IP is the door lock's public IP_B; the payload is simplified to: [feature length] + [visitor's facial feature vector]), and sends it to the main visitor's mobile phone according to the regular LAN gateway routing.

[0062] After the message arrives at the main visitor's mobile phone, it matches the local routing rules configured in step 9(1) and is redirected to the virtual network interface created by the main visitor's APP to enter the application layer processing plane. The main visitor's APP directly reads the complete kernel buffer data of the intercepted message (including the unchanged original source IP) through the raw socket, skips any application layer payload resolution, and sends the entire message data as a stateless binary stream directly out through the specified hotspot network interface. Through this application layer no-resolution raw forwarding mechanism, the default NAT source address translation of the system kernel is bypassed, so that the source IP of the message finally received by the door lock is still the virtual LAN IP of each visitor. It also ensures that the main visitor's APP does not touch or parse the facial feature payload of the visitor at the code level, achieving data pass-through with anti-tampering equivalent to the physical network cable level.

[0063] (5) Strong physical source verification of the door lock based on the source IP: After receiving a UDP packet, the door lock's lightweight parsing module first reads the "source IP address" field in the IP packet header and strictly compares it with the "virtual LAN IP whitelist" temporarily stored in step (3). If the source IP does not match, it is directly determined to be a man-in-the-middle attack and discarded; if it matches, the door lock queries the temporarily stored mapping list based on the source IP to obtain the corresponding identity identifier, and calls the person through voice broadcast (e.g., "Please Zhang San scan your face"). Then, it extracts the feature vector in the payload to perform subsequent on-site face scan token comparison (logic is the same as the aforementioned single-person process) and saves the local high-precision template.

[0064] Beneficial effects: 1. By constructing a pure routing penetration topology at the bottom layer, a secure end-to-end direct connection between the administrator and the door lock is achieved in a network-free environment. The network is immediately disconnected after authorization is completed, eliminating the network exposure surface.

[0065] 2. The "blind assembly" mechanism, which does not decrypt the original instructions, enables physical-level isolation of instruction data on the visitor's mobile phone during the forwarding process, thus blocking the risk of man-in-the-middle stealing sensitive instructions.

[0066] 3. A cross-device facial feature tokenization downgrade and dual threshold comparison mechanism is adopted to ensure authorization pass rate with a remote lenient threshold and daily security with a local strict threshold, thus solving the problem of feature loss in heterogeneous devices.

[0067] 4. In batch scenarios, further prevent data tampering attacks on proxy nodes from the source of the underlying packets by disabling NAT translation and performing strong network layer whitelist verification based on the source IP.

[0068] Protection point: 1. A message reconstruction mechanism for untrusted relays that involves no decryption, blind extraction, and blind appending to the tail. In a topology where relay nodes (including visitor phones in single-transaction scenarios and main visitor phones in batch scenarios) act as untrusted relays, the relay app listens in user space and intercepts passing encrypted messages. After stripping the standard IP / UDP header, it skips the business semantic parsing and decryption of the inner digital envelope and directly reconstructs the original encrypted instruction payload by linearly concatenating it with the relay node's locally collected features and necessary control identifiers (such as the main visitor's identity and batch structure identifier) ​​according to a fixed offset rule. The door lock end uses a lightweight fixed offset reading and tail identifier recognition mechanism to verify administrators and on-site visitors. This design achieves secure instruction transmission and feature injection without exposing administrator ciphertext or holding the door lock's private key in a zero-trust environment with extremely low computational overhead.

[0069] 2. Cross-device feature tokenization downgrade and dual-threshold local high-precision template forced overwrite mechanism. Visitor features not collected by door locks (mobile phones) are absolutely prohibited from being used as unlock templates, downgraded to one-time comparison tokens; local liveness detection is forcibly triggered, and the comparison token and on-site personnel are strongly bound to prevent injection verification using a first preset threshold (relaxed threshold); after successful verification, the comparison token is immediately destroyed, and the locally collected features are used as the official template (a second preset strict threshold is used for unlocking in daily operations). This tolerates cross-device errors during the authorization phase and eliminates cross-device noise during daily operations, achieving a unity and balance between security and convenience.

[0070] 3. A single-packet batch blind injection method based on pure LAN isolation aggregation and self-describing structure. In multi-user authorization scenarios, secure aggregation or direct transmission of multi-user characteristics is achieved through pure LAN isolation hotspots. In one implementation, the relay APP appends multi-user characteristics of variable length as a nested TLV (Type-Length-Value) self-describing list to the end of a single encrypted packet. In another implementation, each accompanying visitor APP uses its assigned VLAN IP as the source IP and directly sends UDP packets containing its own characteristics to the door lock. The relay performs unresolved raw forwarding, and the door lock performs strong physical source verification using a source IP whitelist. Regardless of the method, the door lock only needs to read the length field stepwise or verify the source IP to complete batch authorization, achieving efficient expansion with extremely low computational power consumption.

[0071] 4. ROI Adaptive Video Encoding Mechanism Based on Door Lock Edge Computing Offloading. In extreme weak network scenarios with limited uplink bandwidth for mobile hotspots during multi-person video verification, idle door lock computing power is offloaded as a "video encoding auxiliary server." The main visitor's mobile phone globally streams a low frame rate to the door lock. The door lock uses a local lightweight algorithm module to output suggestions for adjusting face region coordinates, sharpness, and quantization parameters (QP), which are fed back to the main visitor's APP for differentiated encoding (lowering QP for faces to improve sharpness, and increasing QP for backgrounds to reduce bitrate). With relatively low LAN signaling overhead, this alleviates the uplink bandwidth bottleneck of mobile hotspots and maximizes the subjective sharpness of remote manual verification under extremely weak network conditions.

[0072] 5. A network layer physical anti-tampering mechanism based on reverse pure routing penetration and source IP whitelisting. This moves the defense against man-in-the-middle attacks from "application layer cryptography" to "network layer topology." In an operating environment with low-level network control privileges, the main visitor app calls a system-level network interface (such as a VPN service interface or a TUN virtual network card) to create a reverse traffic tunnel on the local machine and configures local routing rules to intercept all cross-segment packets within the LAN whose destination address is the door lock's public IP address and redirect them to the application layer processing plane of this virtual network interface. Subsequently, at the application layer, raw socket forwarding is performed on packets entering through the virtual network interface, directly reading and preserving the source IP address in the packet's IP header (i.e., the virtual LAN IPs of each accompanying visitor), bypassing the operating system kernel's default NAT source address translation process, and establishing a pure routing forwarding path for reverse penetration within the LAN. The door lock uses the list of virtual LAN IPs remotely confirmed by the administrator as a physical source whitelist. When it receives a characteristic packet, it directly reads the source address in the IP packet header for strong verification. This mechanism ensures that relay nodes only transmit data as physical network cables at the system's bottom layer, preventing attacks that could replace, tamper with, or forge the biometrics of fellow personnel at the application layer.

[0073] Another embodiment of the present invention provides a system for adding members to a door lock, see [link to relevant documentation]. Figure 3 The system may include: Module 301 is used for temporary networking and pure routing path construction of offline door locks: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal applies for an independent public network address from the operator network and configures the address and mobile hotspot certificate to the door lock. At the same time, the visitor terminal establishes a pure routing forwarding rule pointing to the public network address at the system bottom layer, and constructs a non-network address translation penetration path from the terminal to the door lock. The distribution module 302 is used to distribute remote authorization instructions to the administrator: based on the video call and public network address exchange established between the visitor terminal and the management terminal, after the management terminal confirms the visitor's identity, it generates an encrypted authorization instruction payload containing the administrator's biometrics and sends the instruction payload directly over the Internet with the public network address of the door lock as the destination address. Reconstruction module 303 is used for relay node bypass listening and blind assembly reconstruction: based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as additional data to reconstruct and generate a new message and send it to the door lock along the original path. The injection module 304 is used for door lock hierarchical verification and temporary permission injection: After receiving the reconstructed message from the door lock, it decrypts and extracts the administrator's biometric features. After verification with a first preset threshold, the visitor's biometric features in the message are compared with the biometric features collected in real time on site using the first preset threshold as a one-time comparison token. After the comparison is successful, the visitor feature token in the message is destroyed, and the biometric features collected on site are saved as a temporary unlock template. During daily unlocking, the door lock compares the temporary unlock template with a second preset threshold greater than the first preset threshold, realizing secure remote injection of visitor permissions in offline environment. Among them, the door lock, management terminal and visitor terminal all have built-in face feature extraction models trained by feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints.

[0074] This invention also provides a storage medium storing a computer program, wherein the computer program is configured to execute the steps in any of the above method embodiments when running.

[0075] This invention also provides an electronic device, including a memory and a processor, wherein the memory stores a computer program, and the processor is configured to run the computer program to perform the steps in any of the above method embodiments.

[0076] Specifically, the aforementioned electronic device may further include a transmission device and an input / output device, wherein the transmission device is connected to the aforementioned processor, and the input / output device is connected to the aforementioned processor.

[0077] The above description, based on the embodiments shown in the figures, details the structure, features, and effects of the present invention. The above description is only a preferred embodiment of the present invention, but the present invention is not limited to the scope of implementation shown in the figures. Any changes made in accordance with the concept of the present invention, or equivalent embodiments modified to have equivalent changes, that do not exceed the spirit covered by the specification and figures, should be within the protection scope of the present invention.

Claims

1. A method for adding members to a door lock, characterized in that, The method includes: Offline door lock temporary networking and pure routing path construction: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal applies for an independent public network address from the operator network and configures the address and mobile hotspot certificate to the door lock. At the same time, the visitor terminal establishes a pure routing forwarding rule pointing to the public network address at the system bottom layer, and constructs a non-network address translation penetration path from the terminal to the door lock. Remote authorization command issuance by administrator: Based on the video call and public network address exchange established between the visitor terminal and the management terminal, after the management terminal confirms the visitor's identity, it generates an encrypted authorization command payload containing the administrator's biometrics and sends the command payload directly over the Internet with the public network address of the door lock as the destination address. Relay node bypass listening and blind assembly reconstruction: Based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as additional data to reconstruct and generate a new message, which is then sent to the door lock along the original path. Door lock hierarchical verification and temporary permission injection: After receiving the reconstructed message, the door lock decrypts it, extracts the administrator's biometric features, and verifies them using a first preset threshold. Then, it uses the first preset threshold to compare the visitor's biometric features in the message as a one-time comparison token with the biometric features collected in real time on-site. After the comparison is successful, the visitor feature token in the message is destroyed, and the biometric features collected on-site are saved as a temporary unlock template. During daily unlocking, the door lock compares the temporary unlock template with a second preset threshold greater than the first preset threshold, realizing secure remote injection of visitor permissions in an offline environment. Among them, the door lock, management terminal, and visitor terminal all have built-in face feature extraction models trained with feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints.

2. The method according to claim 1, characterized in that, The offline door lock temporary network and pure routing path construction includes: Local connection establishment: The visitor terminal establishes a connection with the offline door lock via Bluetooth. In the case of multiple door locks, the visitor terminal scans and establishes a Bluetooth connection with all door locks to be configured and counts the number of door locks. Independent public IP address application: Based on the number of door locks obtained by the visitor terminal via Bluetooth, apply to the operator's network for the corresponding number of independent public IPv4 addresses; Static network configuration and hotspot access: Based on the obtained public IPv4 address, subnet mask, and default gateway, the visitor terminal sends the mobile hotspot access certificate and the above network parameters as static configuration to each door lock via Bluetooth. After configuration, the door lock connects to the visitor terminal's mobile hotspot and starts listening on a fixed port. The door locks feed back their respective port status to the visitor terminal via Bluetooth. The visitor terminal confirms that the door lock is online by reading the neighbor table of the local hotspot network segment and completes the mapping relationship between the door lock ID and the public IPv4 address and port. Pure routing forwarding rule injection: Based on the routing table of the visitor terminal in the local operating system, specific routing rules are injected to specify that the outgoing interface of the packet with the destination address as the public IPv4 address is the mobile hotspot LAN interface, and a non-network address translation penetration path is established.

3. The method according to claim 2, characterized in that, The remote authorization command issued by the administrator includes: Video call and address exchange: The visitor terminal and the management terminal establish a video call through the cloud platform. The visitor terminal sends the list of public network addresses of the online door locks to the management terminal, and the two parties exchange their current public network communication addresses. Administrator identity verification: After visually verifying the visitor's identity via video call through the management terminal, configure temporary permission parameters on the management terminal; Encrypted instruction payload generation: Based on the facial feature vector extracted from the management terminal, an encrypted authorization instruction payload containing the administrator's facial feature vector and the number of valid days is generated using a digital envelope mechanism; Direct instruction transmission: Based on the encrypted authorization instruction payload, the management terminal uses the public network address of the door lock as the destination address, directly uses the encrypted instruction payload as the payload of the standard User Datagram Protocol (UDP) message, constructs a single-layer UDP message, and sends it directly over the Internet.

4. The method according to claim 3, characterized in that, The relay node bypass listening and blind assembly reconstruction includes: Message bypass interception: Based on the visitor terminal's underlying message capture mechanism in user space, listen for and intercept user datagram protocol messages that pass through before the standard routing forwarding of the operating system, with the destination address being the public network address of the door lock; Blind payload extraction: Based on the visitor terminal, the network layer protocol header and transport layer protocol header of the message are stripped, skipping the business semantic parsing, and only the encrypted instruction payload in the user datagram protocol payload is extracted and temporarily stored; Local biometric data collection: Based on the visitor's terminal, the local camera is used to perform liveness detection and extract the visitor's facial feature vector; Blind payload assembly and retransmission: Based on the temporarily stored original encrypted instruction payload and the locally extracted visitor facial feature vector, the application layer payload data structure is reconstructed. The structure includes, in sequence, the encrypted payload length field, the original encrypted instruction payload, the custom appended identifier, and the visitor facial feature vector. The visitor terminal re-encapsulates the network protocol header and transport layer protocol header for the reconstructed payload, generates a new message, and submits it to the operating system for transmission.

5. The method according to claim 4, characterized in that, The door lock hierarchical verification and temporary permission injection include: Administrator permission verification: Based on the door lock, read the length of the encrypted payload in the reconstructed message by a fixed offset, extract the ciphertext, use the local private key to decrypt and recover the symmetric session key, then decrypt the business payload to extract the administrator's facial feature vector, and compare it with the locally stored administrator template with a first preset threshold to confirm the legality of the authorization command; Visitor token on-site binding: After the door lock detects the custom appended identifier at the end of the message, it extracts the visitor's facial feature vector at the end as a one-time comparison token for temporary storage, and triggers the door lock's voice prompt to require the registered person to scan their face on-site. The door lock calls the local camera for liveness detection and extracts the on-site facial feature vector. Within a preset time, it compares the temporarily stored visitor token with the on-site collected features 1:1 with the first preset threshold. Local high-precision template overlay: Based on the comparison result, the visitor's facial feature vector in the door lock destruction message is used to save the on-site facial feature vector collected by the door lock's local camera as a temporary permission unlock template. This template is used for daily unlocking and is compared with a second preset threshold, where the second preset threshold is greater than the first preset threshold.

6. The method according to claim 5, characterized in that, The method also includes bulk visitor authorization: Local Area Network Feature Secure Aggregation: When the main visitor terminal activates a mobile hotspot, other visitor terminals in the same region connect to the hotspot and establish a secure channel within the local area network through the near-field discovery protocol. They then send their independently extracted facial features and identity identifiers to the main visitor terminal for aggregation. Batch command blind assembly: After the main visitor terminal intercepts the encrypted command payload containing batch entry markers issued by the management terminal, it appends its own characteristics and the aggregated list of accompanying personnel characteristics to the end of the original encrypted payload in a self-descriptive nested format without decryption, and reconstructs and generates a new message to be sent to the door lock. The self-descriptive nested format includes, in sequence: encrypted payload length field, original encrypted command payload, custom append identifier, batch feature identifier, main visitor face feature vector, number of accompanying personnel, and list of accompanying personnel face feature vectors. The order of items in the list is identity identifier length, identity identifier, feature vector length, and accompanying visitor face feature vector. Batch door lock verification: After decrypting the door lock and verifying the administrator's permissions, the custom appended identifier and batch feature identifier are parsed out. First, the on-site entity binding verification is performed on the main visitor. Then, the corresponding personnel are called one by one according to the number of accompanying personnel and the list. The features in the list are used as a one-time comparison token and compared with the on-site collected features for the first preset threshold. If the comparison is successful, the token is destroyed and the high-precision feature template collected locally by the door lock is saved. If the comparison fails or times out, the current item is skipped and the next person is prompted until the traversal is completed.

7. The method according to claim 6, characterized in that, The method also includes enhanced visual verification by administrators on a per-person basis: The main visitor terminal synthesizes the real-time video streams of each accompanying visitor into a picture-in-picture format and sends it to the management terminal. The administrator confirms and marks each visitor as approved in the synthesized screen. The main visitor terminal only includes the characteristics of the confirmed visitors in the message reconstruction.

8. The method according to claim 7, characterized in that, The method also includes tamper-proof multi-user batch authorization based on reverse pure routing within a local area network: Reverse pure routing path establishment: The main visitor terminal assigns an independent virtual LAN IP to the visitor terminal of the same party, creates a reverse traffic tunnel to intercept packets with the destination address as the lock and pulls them to the virtual network interface, and then forwards the packets with the source IP preserved as is through the original socket to skip the network address translation of the system kernel, thereby establishing a reverse pure routing path. Mapping table synchronization and blind assembly: The main visitor terminal synchronizes the binding mapping table of identity identifier and virtual LAN IP to the management terminal. The management terminal binds it to the video stream for display and packages the virtual LAN IP of the confirmed personnel into the encrypted command payload and sends it down. After intercepting the data, the main visitor terminal blindly assembles the data, only adding its own characteristics to generate a new message and sending it to the door lock. Whitelist generation and main visitor verification: After the door lock is decrypted and the permissions are verified, the mapping list is parsed out and temporarily stored as the physical source whitelist. After the main visitor is verified, a ready signaling is returned. Visitor direct transmission and bypass transparent transmission: The visitor terminal of the same peer sends characteristic packets using its own virtual LAN IP as the source address; The main visitor terminal intercepts the message and forwards it as a stateless binary stream through the hotspot outgoing interface to the door lock without parsing. Source IP strong verification: The door lock reads the source IP of the message and compares it with the whitelist. If they match, it queries the identity identifier, calls and performs on-site face recognition token comparison and saves the local high-precision template. If they do not match, the message is discarded.

9. A system for adding members to a door lock, characterized in that, The system includes: The module is used for temporary networking and pure routing path construction of offline door locks: Based on the local connection established between the visitor terminal and the offline door lock, the visitor terminal applies for an independent public network address from the operator network and configures the address and mobile hotspot certificate to the door lock. At the same time, the visitor terminal establishes a pure routing forwarding rule pointing to the public network address at the system bottom layer, and constructs a non-network address translation penetration path from the terminal to the door lock. The distribution module is used to issue remote authorization commands to the administrator: based on the video call and public network address exchange established between the visitor terminal and the management terminal, after the management terminal confirms the visitor's identity, it generates an encrypted authorization command payload containing the administrator's biometrics and sends the command payload directly over the Internet with the public network address of the door lock as the destination address. The reconstruction module is used for relay node bypass listening and blind assembly reconstruction: based on the encrypted instruction payload intercepted by the visitor terminal on the pure routing path, without decrypting the payload content, the network protocol header is stripped to extract the original encrypted payload, and the locally collected visitor biometric features are used as additional data to reconstruct and generate a new message, which is then sent to the door lock along the original path. The injection module is used for door lock hierarchical verification and temporary permission injection: After receiving the reconstructed message from the door lock, it decrypts and extracts the administrator's biometric features. After verification with a first preset threshold, the administrator's biometric features in the message are used as a one-time comparison token and compared with the biometric features collected in real time on site, using the first preset threshold. After the comparison is successful, the visitor feature token in the message is destroyed, and the biometric features collected on site are saved as a temporary unlock template. During daily unlocking, the door lock compares the temporary unlock template with a second preset threshold greater than the first preset threshold, realizing secure remote injection of visitor permissions in offline environment. Among them, the door lock, management terminal and visitor terminal all have built-in face feature extraction models trained by feature space alignment. The first preset threshold is calibrated based on the cross-device feature similarity decay distribution curve, and the second preset threshold is calibrated based on the local same-source device feature distribution and preset false recognition rate constraints.

10. An electronic device comprising a memory and a processor, characterized in that, The memory stores a computer program, and the processor is configured to run the computer program to perform the method of any one of claims 1-8.