CN103609061A - Method, device and system for security authentication - Google Patents

Method, device and system for security authentication Download PDF

Info

Publication number
CN103609061A
CN103609061A CN201280000849.8A CN201280000849A CN103609061A CN 103609061 A CN103609061 A CN 103609061A CN 201280000849 A CN201280000849 A CN 201280000849A CN 103609061 A CN103609061 A CN 103609061A
Authority
CN
China
Prior art keywords
network unit
coaxial network
optical line
line terminal
dense
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN201280000849.8A
Other languages
Chinese (zh)
Other versions
CN103609061B (en
Inventor
孙艳宾
孙方林
赵泉波
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Publication of CN103609061A publication Critical patent/CN103609061A/en
Application granted granted Critical
Publication of CN103609061B publication Critical patent/CN103609061B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/72Signcrypting, i.e. digital signing and encrypting simultaneously

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Provided are a method, device and system for security authentication. The communication technology field is involved. The security problem of an EPOC system is solved. The method can specifically include: acquiring a message, and acquiring a media access control address of an optical line terminal from the message; according to the media access control address, calculating an optical line terminal public key; according to any first session key between a coaxial network unit and the optical line terminal, the optical line terminal public key and a coaxial network element private key, calculating first signcryption cipher text; and transmitting the first signcryption cipher text to the optical line terminal, so that the optical line terminal performs network access authentication on the coaxial network unit according to the first signcryption cipher text. The method can simultaneously realize the access registration, authentication and key sharing of a coaxial network unit by means of an optical line terminal.

Description

The methods, devices and systems of safety certification
Technical field
The present invention relates to communication technical field, relate in particular to the methods, devices and systems of safety certification.
Background technology
At EPOC(Ethernet Passive Optical Network Over Coaxial, ether passive light circuit based on coaxial) in system, OLT(Optical Line Terminal, optical line terminal) by optical fiber and CMC(Coaxial Media Converter, copper axle medium converter) connect, CMC and CNU(Coaxial Network Unit, coaxial network unit) by coaxial cable, connect, CMC is mainly used in the conversion between light territory signal and copper territory signal, the light territory signal that is about to OLT transmission is converted to the copper territory signal that CNU receives, or, the copper territory signal that CNU is sent converts the light territory signal that OLT receives to.
In order to improve the fail safe of EPOC system, before CNU access network, EPOC system need to be by authenticating this CNU with the OLT of this CNU binding.
The method that CNU is authenticated can comprise: OLT receives the access request that CNU sends, and comprises the MAC(Medium Access Control of CNU, media access control layer in access request) address information; OLT is forwarded to the access request receiving in certificate server, certificate server judges according to the mac address information of CNU whether CNU is allowed to access, judge that CNU is whether by authentication, in certificate server, can store the mac address information of the CNU being allowed to access or the condition of the CNU that is allowed to access etc.; OLT receives and forwards to CNU the authentication response that certificate server sends, and whether authentication response is used for describing CNU by authentication.
If CNU is by authentication, the data of transmitting between CNU and OLT can be used the shared session key being stored in CNU and OLT to be encrypted and/or to decipher.
State in realization in the process of EPOC system safety authentication, inventor finds that in prior art, at least there are the following problems: in EPOC system, OLT authenticates according to the mac address information of CNU, when malice CNU forges after the mac address information of normal CNU, also may access by the authentication of OLT in EPOC system, cause malice CNU to take the MAC Address of normal CNU, make the normal CNU cannot access network; Meanwhile, due to, in OLT, only store the shared session key with the CNU of its binding, therefore, OLT can only authenticate the CNU with its binding and transfer of data, has reduced the flexibility of EPOC system.
Summary of the invention
Embodiments of the invention provide a kind of method, device, system of safety certification, have solved the lower problem of fail safe of EPOC system.
For achieving the above object, embodiments of the invention adopt following technical scheme:
On the one hand, provide a kind of method of safety certification, be applied to EPOC system, comprising:
Obtain message, and from described message, obtain the Media Access Control Address of optical line terminal;
According to described Media Access Control Address compute ray road terminal public key;
According to arbitrary the first session key between coaxial network unit and described optical line terminal and described optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
To described optical line terminal, send described first and sign dense literary composition, so that described optical line terminal is signed dense literary composition according to described first, described coaxial network unit is carried out to network access authentication.
In addition, also separately provide a kind of method of safety certification, be applied to EPOC system, comprising:
Receive the dense literary composition of the first label that coaxial network unit sends;
According to the Media Access Control Address of the coaxial network unit receiving, calculate coaxial network unit PKI;
According to described first, sign dense literary composition and described coaxial network unit PKI and optical line terminal private key described coaxial network unit carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
On the other hand, provide a kind of device of safety certification, comprising: coaxial network unit and optical line terminal.
A coaxial network unit, comprising:
Receiver for obtaining message, and obtains the Media Access Control Address of optical line terminal from described message;
Processor, for the Media Access Control Address compute ray road terminal public key getting according to described receiver; According to arbitrary the first session key between institute's coaxial network unit and described optical line terminal and described optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
Transmitter, the dense literary composition of the first label calculating for send described processor to described optical line terminal, carries out network access authentication so that described optical line terminal is signed dense literary composition according to described first to described coaxial network unit.
An optical line terminal, comprising:
Receiver, the dense literary composition of the first label sending for receiving coaxial network unit;
Processor, for calculating coaxial network unit PKI according to the Media Access Control Address of the coaxial network unit receiving; According to described first, sign dense literary composition and described coaxial network unit PKI and optical line terminal private key described coaxial network unit carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
Again on the one hand, provide a kind of system of safety certification, comprising: the above-mentioned coaxial network unit providing and optical line terminal.
Adopt after such scheme, coaxial network unit, before access network, calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; The dense literary composition of the first label is sent to optical line terminal, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first, coaxial network unit is carried out to network access authentication, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Accompanying drawing explanation
In order to be illustrated more clearly in the technical scheme in the embodiment of the present invention, below the accompanying drawing of required use during embodiment is described is briefly described, apparently, accompanying drawing in the following describes is only some embodiments of the present invention, for those of ordinary skills, do not paying under the prerequisite of creative work, can also obtain according to these accompanying drawings other accompanying drawing.
The method flow diagram of the safety certification that a kind of coaxial network unit that Fig. 1 provides for the present embodiment is executive agent;
The method flow diagram of the safety certification that the another kind of coaxial network unit that Fig. 2 provides for the present embodiment is executive agent;
The registration request frame format schematic diagram that Fig. 3 provides for the present embodiment;
The method flow diagram of the safety certification that a kind of optical line terminal that Fig. 4 provides for the present embodiment is executive agent;
The method flow diagram of the safety certification that the another kind of optical line terminal that Fig. 5 provides for the present embodiment is executive agent;
A kind of coaxial network unit structural representation that Fig. 6 provides for the present embodiment;
A kind of optical line terminal structural representation that Fig. 7 provides for the present embodiment;
The another kind of optical line terminal structural representation that Fig. 8 provides for the present embodiment;
The system configuration schematic diagram of a kind of safety certification that Fig. 9 provides for the present embodiment.
Embodiment
Below in conjunction with the accompanying drawing in the embodiment of the present invention, the technical scheme in the embodiment of the present invention is clearly and completely described, obviously, described embodiment is only the present invention's part embodiment, rather than whole embodiment.Embodiment based in the present invention, those of ordinary skills, not making the every other embodiment obtaining under creative work prerequisite, belong to the scope of protection of the invention.
The present invention is mainly in EPOC system, adopt to sign that close scheme authenticate the coaxial network unit of new access and key management (as shared in session key etc.), effectively guaranteed the authenticity of authentication and the confidentiality of session key, wherein, optical line terminal is born authenticator's role; Coaxial network unit is born authentic role.
Signing close scheme is a kind of public key cryptography prototype that completes signature simultaneously and encrypt two functions in rational logic step, and advantage is to realize encryption (or key is shared) and the authentication to data at a rational logic step simultaneously.Compare with traditional " first sign and encrypt afterwards or first encrypt afterwards and sign " method, sign close scheme needs less communication cost and amount of calculation when realizing safety requirements such as the confidentiality of data, integrality and authentications, and can realize being encrypted (or key is shared) and authenticating of data simultaneously.
Sign in close scheme, optical line terminal can comprise the authentication of coaxial network unit and close shared step: coaxial network unit receives after the discovery mandate frame message (GATE message) of optical line terminal transmission, from GATE message, obtain optical line terminal address information, as, MAC(Medium Access Control, media access control layer) address etc.; According to MAC Address, calculate coaxial network unit PKI; Choose at random session key, and calculate and sign dense literary composition according to session key, coaxial network unit PKI; To optical line terminal, send the MAC Address of signing dense literary composition and coaxial network unit; Optical line terminal, according to obtain session key from sign dense literary composition, to realize sharing of key,, and authenticates coaxial network unit meanwhile.
Some embodiment are provided below, and during to coaxial network unit access network, optical line terminal authenticates coaxial network unit and carries out the shared step and method of key with coaxial network unit and is illustrated.
Embodiment mono-
The present embodiment provides a kind of method of safety certification, and the executive agent of the method is coaxial network unit, as shown in Figure 1, can comprise the following steps:
101, coaxial network unit obtains message, and from message, obtains the Media Access Control Address (being MAC Address) of optical line terminal.
The message that the optical line terminal that coaxial network unit receives sends, this message can for but be not limited to GATE message (finding to authorize frame message), in GATE message, can carry the source address of GATE message, i.e. the MAC Address of optical line terminal.Wherein, source address and address information can for but be not limited to MAC Address.
102, according to Media Access Control Address compute ray road terminal public key.
Sign in close scheme the method for calculating PKI is provided, optical line terminal PKI can be to calculate according to the MAC Address of optical line terminal.
103, according to arbitrary the first session key between coaxial network unit and optical line terminal and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label.
Common, in order to guarantee the fail safe of transfer of data, transmitting terminal is used the first session key to be encrypted data between transmission data, and the data after encrypting are sent to receiving terminal, receiving terminal, after receiving data, is used the first session key to be decrypted the data that receive.
At transmitting terminal and receiving terminal, use before the first session key is encrypted data to be transmitted, need between transmitting terminal and receiving terminal, carry out the first session key and share.
In the present embodiment, for being realizes shared the do place mat of the first session key between coaxial network unit and optical line terminal, coaxial network unit is according to the first session key and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label.
104, to optical line terminal, send first and sign dense literary composition, so that optical line terminal carries out network access authentication and calculates the first session key coaxial network unit according to the dense literary composition of the first label.
For optical line terminal being obtained and storing the first session key, coaxial network unit sends first to optical line terminal and signs dense literary composition, and optical line terminal can calculate the first session key according to the dense literary composition of the first label, to realize sharing of the first session key.
Adopt after such scheme, coaxial network unit, before access network, calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; The dense literary composition of the first label is sent to optical line terminal, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first, coaxial network unit is carried out to network access authentication, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Embodiment bis-
As improvement, the present embodiment provides the method for another kind of safety certification, and the method is to the further expanding of the method shown in Fig. 1, and as shown in Figure 2, can comprise the following steps:
201, coaxial network unit obtains message, and from message, obtains the Media Access Control Address (MAC Address) of optical line terminal.
The message that the optical line terminal that coaxial network unit receives sends, this message can for but be not limited to GATE message (finding to authorize frame message), in GATE message, can carry the source address of GATE message, i.e. optical line terminal MAC Address.
In GATE message, can carry slotted messages, slotted messages can be allowed to send to optical link for describing coaxial network unit the time range etc. of information.
The Functions that the present embodiment comprises GATE message is not construed as limiting, and for technology well known to those skilled in the art, does not repeat them here.
202, according to Media Access Control Address compute ray road terminal public key.
Sign in close scheme the method for calculating PKI is provided, optical line terminal PKI can be to calculate according to the MAC Address of optical line terminal.
Concrete, in signing close scheme, coaxial network unit can be according to formula Q oLT=H 0(ID oLT) compute ray road terminal public key, wherein, Q oLTfor optical line terminal PKI; ID oLTmAC Address for optical line terminal; H 0() first hash function.
203, according to arbitrary the first session key between coaxial network unit and optical line terminal and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label.
The first session key is for being encrypted or deciphering the data of transmitting between coaxial network unit and optical link.
As an embodiment of the present embodiment, the first session key can for but be not limited to 128(bits) binary character string, the span of the first session key can for but be not limited to be more than or equal to 0 and be less than or equal to 2 127.
The present embodiment is not construed as limiting the method for using the first session key that data are encrypted or are deciphered, can set according to actual needs, does not repeat them here.
As an embodiment of the present embodiment, in signing close scheme, first signs dense literary composition can comprise two parts: X and y, according to coaxial network unit PKI, calculates X; According to coaxial network unit private key and optical line terminal PKI, calculate w; According to X and the first session-key computation h 1; According to h 1calculate Z with coaxial network unit private key; According to the Media Access Control Address of Z and w and the first session key and coaxial network unit, calculate y; According to X and y, generate the dense literary composition of the first label.
Concrete, X can be according to formula X=rQ cNUcalculate, wherein, r is constant; Y can be according to formula
Figure BDA00002087408100071
calculate, wherein, H 2() is the 3rd hash function; W is H 2the independent variable of (), w=e (rS cNU, Q oLT); Z=(r+h 1) S cNU; h 1=H 1(X||m); M is the first session key; H 1() is the second hash function; ID cNUmAC Address for coaxial network unit; Q cNUfor coaxial network unit PKI; S cNUfor coaxial network unit private key.According to foregoing description, can find out, when calculating the first ciphertext, utilize Q oLT, S cNU, m etc.
The present embodiment is not construed as limiting the difference of the first hash function, the second hash function, the 3rd hash function, for example, difference between them can for but be not limited to: codomain difference and/or the domain of definition are not equal, can set according to actual needs, do not repeat them here.
The present embodiment is not construed as limiting the content of the dense literary composition of the first label, can set according to actual needs, does not repeat them here.
204, to optical line terminal, send first and sign dense literary composition, so that optical line terminal carries out network access authentication and calculates the first session key coaxial network unit according to the dense literary composition of the first label.
Private key and the PKI of same equipment are used in conjunction with, when the private key of transmitting terminal use oneself and receiving terminal PKI are signed close i.e. encryption or carry out corresponding computing with data to be transmitted data to be transmitted, receiving terminal is used the private key of receiving terminal and the PKI of transmitting terminal to separate and sign close i.e. deciphering or carry out obtaining data to be transmitted after computing the data that receive.Another kind method can be: transmitting terminal is used session key to be encrypted data to be transmitted, and receiving terminal is used session key to decrypt data to be transmitted.
In signing close scheme, under configuration, the private key of the equipment of same operator need to be used identical master key, and also relevant with PKI, concrete, can configure private key according to formula S=sQ, and wherein, S is private key; S is master key; Q is PKI.
For optical line terminal being obtained and storing the first session key, coaxial network unit sends first to optical line terminal and signs dense literary composition, and optical line terminal can calculate the first session key according to the dense literary composition of the first label, to realize sharing of the first session key.
As an embodiment of the present embodiment, in signing close scheme, due to, first signs dense literary composition according to coaxial network unit private key, optical line terminal PKI, the first session-key computation, therefore, optical line terminal can be signed dense literary composition according to coaxial network unit PKI, optical line terminal private key and first and calculate the first session key.Also can be described as, coaxial network unit is used coaxial network unit private key and optical line terminal PKI to be encrypted the first session key, obtains first and sign dense literary composition after encrypting; It is close that optical line terminal is used coaxial network unit PKI and optical line terminal private key to separate label to the dense literary composition of the first label, thereby obtain the first session key.
First signs dense literary composition according to calculation of parameter such as coaxial network unit private key and optical line terminal PKIs, due to, private key is maintained secrecy, the private key of each coaxial network unit is portion's storage within it only, therefore, optical line terminal can also authenticate this Coaxial Network pipeline equipment according to coaxial network unit PKI, and whether authentication coaxial network unit PKI is corresponding with private key, and whether this coaxial network unit of authentication authorization and accounting is forged.
Further, coaxial network unit can send the message that includes the dense literary composition of the first label to optical line terminal.
As an embodiment of the present embodiment, as shown in Figure 3, for including the frame structure of the message of the dense literary composition of the first label, first signs the information field place that dense literary composition is added to frame structure.Wherein, the command code in the frame structure of this message can be 0004.In this step, source address can be the MAC Address of coaxial network unit, and destination address can be the MAC Address of optical line terminal.
205, the message that sends the Media Access Control Address that includes coaxial network unit to optical line terminal, makes optical line terminal obtain coaxial network unit PKI according to the Media Access Control Address of coaxial network unit.
206, receiving the registration response that optical line terminal sends, if by authentication, the title in a Flags(territory of registration response frame structure) domain identifier is 3; If, by authentication, the Flags domain identifier of registration response frame structure is not 4.If perform step 206 by authentication; If, by authentication, flow process does not finish.
Coaxial network unit, after receiving registration response, judges whether by authentication according to the numerical value of the Flags domain identifier of registration response, if by authentication, use the first session key to be encrypted data; If not by authentication, wait for authentication next time.
207, receive the update request that optical line terminal sends, update request is used to indicate coaxial network unit the first session key is upgraded.
The first session key can not indefinitely be used, due to, the time of use is longer, and the probability that the first session key is revealed is larger, therefore, need to upgrade the first session key, to guarantee the fail safe of the first session key.
For the first session key is upgraded, optical line terminal sends update request to coaxial network unit.
As an embodiment of the present embodiment, the command code of update request frame structure can be 0007.
Further alternative, the update request that receives optical line terminal transmission can be: receive the update request that optical line terminal periodically sends.
The mode that the present embodiment sends update request to optical line terminal is not construed as limiting, and can set according to actual needs, does not repeat them here.
208, coaxial network unit is according to arbitrary the second session key between coaxial network unit and optical line terminal and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the second label.
In the method for the dense literary composition of coaxial network unit calculating the second label and step 203, the method for the dense literary composition of coaxial network unit calculating the first label is similar, does not repeat them here.
209, to optical line terminal, send second and sign dense literary composition, so that optical line terminal carries out for the second time network access authentication and calculates the second session key coaxial network unit according to the dense literary composition of the second label.
Wherein, coaxial network unit can send the key updating response that includes the dense literary composition of the second label to optical line terminal, and the command code of upgrading response frame form can be 0008.Upgrade the form shown in response frame form and Fig. 3 similar.
210, when coaxial network unit is by after the network access authentication of optical line terminal, by the first session key update, be the second session key, and use the second session key to be encrypted the data of transmitting between optical line terminal and coaxial network unit.
211, receive the key updating acknowledge message that optical line terminal sends, if by authentication, the Flags domain identifier of key updating acknowledge message frame structure is 3; If, by authentication, the Flags domain identifier of key updating acknowledge message frame structure is not 4.The command code that key upgrades acknowledge message frame structure is 0009.
Adopt after such scheme, coaxial network unit, before access network, calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; The dense literary composition of the first label is sent to optical line terminal, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first and is calculated the first session key, to realize session key, share, simultaneously, can also carry out network access authentication to coaxial network unit, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Embodiment tri-
The present embodiment provides a kind of method of safety certification, is applied to EPOC system, and the executive agent of the method is optical line terminal, as shown in Figure 4, can comprise the following steps:
401, optical line terminal receives the dense literary composition of the first label that coaxial network unit sends.
First signs dense literary composition is described in embodiment mono-and embodiment bis-, does not repeat them here.
402, according to the Media Access Control Address of the coaxial network unit receiving, calculate coaxial network unit PKI.
403, according to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key, coaxial network unit is carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
Adopt after such scheme, optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first coaxial network unit is carried out to network access authentication, increase the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system.
Embodiment tetra-
As improvement, the present embodiment provides the method for another kind of safety certification, and the method is further expanding of the method shown in Fig. 4, as shown in Figure 5, can comprise the following steps:
501, optical line terminal receives the dense literary composition of the first label that coaxial network unit sends.
First signs dense literary composition is described in embodiment mono-and embodiment bis-, does not repeat them here.
502, according to the Media Access Control Address of the coaxial network unit receiving, calculate coaxial network unit PKI.
Step 202 according to the method for the close scheme calculating of label PKI in " embodiment bis-" is described, does not repeat them here.
The Media Access Control Address of coaxial network unit can be by reception, to include the message of the Media Access Control Address of coaxial network unit, and obtain from this message.
503, optical line terminal calculates the first session key and coaxial network unit is carried out to network access authentication according to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key, so that after passing through network access authentication, use the first session key that the data of transmitting between optical line terminal and coaxial network unit are encrypted and/or are deciphered, that is, make optical line terminal and network access authentication by after coaxial network unit communicate.
As an embodiment of the present embodiment, according in " embodiment bis-", step 203 is described, first signs dense literary composition can comprise two parts: X and y, and optical line terminal calculates the first session key according to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key and can comprise:
According to coaxial network unit PKI and optical line terminal private key, calculate w; According to y and w, calculate a, first signs dense literary composition comprises y; According to the Media Access Control Address of coaxial network unit and a, calculate the first session key.
Concrete, optical line terminal is according to formula
Figure BDA00002087408100111
computation key m.Wherein, ID cNUfor coaxial network unit MAC Address; M is the first session key; H 2() is the 3rd hash function.
Due to, w=e (rS oLT, Q cNU), therefore, H 2(w)=H 2(rS oLT, Q cNU), S oLTfor optical line terminal private key, Q cNUfor coaxial network unit PKI, Q oLTfor optical line terminal PKI, S cNUfor coaxial network unit private key, and known Q cNU, S oLT, H 2(w)=H 2(rS oLT, Q cNU) be also known; Due to, known y, H 2(w), therefore, can be according to formula
Figure BDA00002087408100112
calculate a=Z||ID cNU|| m, again due to, known ID cNU, can be from Z||ID cNU|| m gets Z and key m.
Below to according to ID cNU, Z||ID cNU|| the method that m obtains Z, key m is illustrated.
Z||ID cNU|| m can be the data of random length, for example, works as Z||ID cNU|| m=100111, ID cNU=01 o'clock, Z||ID cNU|| the 3rd and the 4th in m is ID cNU, Z||ID cNU| in m, be positioned at ID cNUthe data in left side are Z, i.e. Z=10; Be positioned at ID cNUthe data on right side are m, i.e. m=11.
Optical line terminal carries out network access authentication to coaxial network unit and can comprise:
According to coaxial network unit PKI and optical line terminal private key, calculate w; According to y and w, calculate a, first signs dense literary composition comprises X and y; According to the Media Access Control Address of coaxial network unit and a, calculate the first session key and Z; According to X and the first session-key computation h 1; According to Z and X and h 1and coaxial network unit PKI carries out network access authentication to coaxial network unit.
Concrete, optical line terminal can also be according to formula e (Z, P)=e (Q tA, X+h 1q cNU) coaxial network unit is carried out to network access authentication.
Wherein, Q tA=sP is overall PKI, and for what be disclosed, in coaxial network unit and optical line terminal, all has storage; M, Z calculate in the foregoing description; h 1can be according to formula h 1=H 1(X||m) calculate; P, X, Q cNUfor known parameter.
As equation e (Z, P)=e (Q tA, X+h 1q cNU) while setting up, this coaxial network unit is allowed to access network, passes through network access authentication; As equation e (Z, P)=e (Q tA, X+h 1q cNU) while being false, this coaxial network unit is not allowed to access network, does not pass through network access authentication.Wherein, e () is bilinearity pair.
The present embodiment is to signing in close scheme, and the method for coaxial network unit being carried out to network access authentication is not construed as limiting, and any technology that can be well known to those skilled in the art, does not repeat them here.
504, to coaxial network unit, send registration response.
505, optical line terminal sends update request to coaxial network unit.
Further alternative, optical line terminal can periodically send update request to coaxial network unit.
506, receive the dense literary composition of the second label that coaxial network unit sends.
507, according to the dense literary composition of the second label and coaxial network unit PKI and optical line terminal private key, calculate the second session key.
508, according to the dense literary composition of the second label, coaxial network unit is carried out to network access authentication for the second time.
In step 503, the method to network access authentication is described, does not repeat them here.
509, to coaxial network unit, send key updating acknowledge message, when coaxial network unit is by after the network access authentication for the second time of optical line terminal, by the first session key update, be the second session key, and use the second session key to be encrypted the data of transmitting between optical line terminal and coaxial network unit.
Adopt after such scheme, coaxial network unit, before access network, calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; The dense literary composition of the first label is sent to optical line terminal, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first and is calculated the first session key, to realize session key, share, simultaneously, can also carry out network access authentication to coaxial network unit, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Embodiment five
The present embodiment provides a kind of coaxial network unit, as shown in Figure 6, can comprise:
Receiver 61 for obtaining message, and obtains the Media Access Control Address of optical line terminal from message;
Processor 62, for the Media Access Control Address compute ray road terminal public key getting according to receiver; According to arbitrary the first session key between institute's coaxial network unit and optical line terminal and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
Transmitter 63, for the dense literary composition of the first label calculating to optical line terminal sending processor, so that optical line terminal carries out network access authentication according to the dense literary composition of the first label to coaxial network unit.
Adopt after such scheme, coaxial network unit is before access network, and processor calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; Transmitter is sent to optical line terminal by the dense literary composition of the first label, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first, coaxial network unit is carried out to network access authentication, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Embodiment six
As improvement, the present embodiment provides another kind of coaxial network unit, and this device is to the further expanding of the coaxial network unit shown in Fig. 6, and can comprise:
Receiver 61 for obtaining message, and obtains the Media Access Control Address of optical line terminal from message;
Processor 62, for the Media Access Control Address compute ray road terminal public key getting according to receiver; According to arbitrary the first session key between institute's coaxial network unit and optical line terminal and optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
Transmitter 63, for the dense literary composition of the first label calculating to optical line terminal sending processor, so that optical line terminal carries out network access authentication according to the dense literary composition of the first label to coaxial network unit.
Further, receiver, the update request also sending for receiving optical line terminal, update request is used to indicate coaxial network unit the first session key is upgraded;
Further, processor, also for the treatment of device, also signs dense literary composition for calculating second according to arbitrary the second session key between coaxial network unit and optical line terminal and optical line terminal PKI and coaxial network unit private key;
Further, transmitter, also for transmitter, also for signing dense literary composition to second of optical line terminal sending processor calculating, so that optical line terminal carries out network access authentication for the second time according to the dense literary composition of the second label to coaxial network unit.
Further, processor,, for when coaxial network unit is by after the network access authentication for the second time of optical line terminal, is also the second session key by the first session key update.
Further, receiver receives the session updates request that optical line terminal periodically sends.
Further, transmitter, also, for send the message of the Media Access Control Address that includes coaxial network unit to optical line terminal, makes optical line terminal obtain coaxial network unit PKI according to the Media Access Control Address of coaxial network unit.
Further, processor, for calculating X according to coaxial network unit PKI; According to coaxial network unit private key and optical line terminal PKI, calculate w; According to X and the first session-key computation h 1; According to h 1calculate Z with coaxial network unit private key; According to the Media Access Control Address of Z and w and the first session key and coaxial network unit, calculate y; According to X and y, generate the dense literary composition of the first label.
Adopt after such scheme, coaxial network unit is before access network, and processor calculates first according to the first session key, coaxial network unit private key, optical line terminal PKI and signs dense literary composition; Transmitter is sent to optical line terminal by the dense literary composition of the first label, so that optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first, coaxial network unit is carried out to network access authentication, increased the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system, and, optical line terminal can authenticate and transfer of data any coaxial network unit, has increased the flexibility of EPOC system.
Embodiment seven
The present embodiment provides a kind of optical line terminal, as shown in Figure 7, can comprise:
Receiver 71, the dense literary composition of the first label sending for receiving coaxial network unit;
Processor 72, for calculating coaxial network unit PKI according to the Media Access Control Address of the coaxial network unit receiving; According to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key, coaxial network unit is carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
Adopt after such scheme, processor is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first can carry out network access authentication to coaxial network unit, increase the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system.
Embodiment eight
As improvement, the present embodiment provides another kind of optical line terminal, is to the further expanding of the optical line terminal shown in Fig. 7, and as shown in Figure 8, can comprise:
Receiver 81, the dense literary composition of the first label sending for receiving coaxial network unit;
Processor 82, for calculating coaxial network unit PKI according to the Media Access Control Address of the coaxial network unit receiving; According to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key, coaxial network unit is carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
Transmitter 83, if pass through network access authentication for coaxial network unit, sends update request to coaxial network unit, and update request is used to indicate coaxial network unit the first session key is upgraded.
Further, processor, also for calculating the first session key according to the dense literary composition of the first label and coaxial network unit PKI and optical line terminal private key.
Further, receiver also for receiver, also for receiving the message of the Media Access Control Address that includes coaxial network unit, and obtains the Media Access Control Address of coaxial network unit from message.
Further, receiver, the dense literary composition of the second label also sending for receiving coaxial network unit.
Further, processor, also for the treatment of device, also calculates the second session key and coaxial network unit is carried out to network access authentication for the second time for signing dense literary composition and coaxial network unit PKI and optical line terminal private key according to second of receiver reception.
Further, processor,, for when coaxial network unit is by after the network access authentication for the second time of optical line terminal, is also the second session key by the first session key update.
Further, if transmitter passes through network access authentication for coaxial network unit, periodically to coaxial network unit, send session updates request.
Further, processor, also for calculating w according to coaxial network unit PKI and optical line terminal private key; According to y and w, calculate a, first signs dense literary composition comprises X and y; According to the Media Access Control Address of coaxial network unit and a, calculate the first session key and Z; According to X and the first session-key computation h 1; According to Z and X and h 1and coaxial network unit PKI carries out network access authentication to coaxial network unit.
Further, processor, also for calculating w according to coaxial network unit PKI and optical line terminal private key; According to y and w, calculate a, first signs dense literary composition comprises y; According to the Media Access Control Address of coaxial network unit and a, calculate the first session key.
Adopt after such scheme, processor is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first and is calculated the first session key, to realize key, share, simultaneously, processor can also carry out network access authentication to coaxial network unit, increase the fail safe of the coaxial network unit of new access, and then increased to a certain extent the fail safe of EPOC system.
Embodiment nine
The present embodiment provides a kind of system of safety certification, as shown in Figure 9, can comprise: the optical line terminal 92 providing in the coaxial network unit 91 providing in embodiment five or embodiment six and embodiment seven or embodiment eight.
Adopt after such scheme, optical line terminal is signed dense literary composition according to coaxial network unit PKI, optical line terminal private key, first and is calculated the first session key, to realize key, share, meanwhile, can carry out network access authentication to coaxial network unit, increased the fail safe of the coaxial network unit of new access, and, by after network access authentication, the first session key is upgraded, improve the fail safe of key, and then increased to a certain extent the fail safe of EPOC system.
Through the above description of the embodiments, those skilled in the art can be well understood to the mode that the present invention can add essential common hardware by software and realize, and can certainly pass through hardware, but in a lot of situation, the former is better execution mode.Understanding based on such, the part that technical scheme of the present invention contributes to prior art in essence in other words can embody with the form of software product, this computer software product is stored in the storage medium can read, as the floppy disk of computer, hard disk or CD etc., comprise some instructions with so that computer equipment (can be personal computer, server, or the network equipment etc.) carry out the method described in each embodiment of the present invention.
The above; be only the specific embodiment of the present invention, but protection scope of the present invention is not limited to this, is anyly familiar with those skilled in the art in the technical scope that the present invention discloses; can expect easily changing or upgrading, within all should being encompassed in protection scope of the present invention.Therefore, protection scope of the present invention should be as the criterion by the described protection range with claim.

Claims (15)

1. a method for safety certification, is applied to the ether passive light line system based on coaxial, it is characterized in that, comprising:
Obtain message, and from described message, obtain the Media Access Control Address of optical line terminal;
According to described Media Access Control Address compute ray road terminal public key;
According to arbitrary the first session key between coaxial network unit and described optical line terminal and described optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
To described optical line terminal, send described first and sign dense literary composition, so that described optical line terminal is signed dense literary composition according to described first, described coaxial network unit is carried out to network access authentication.
2. method according to claim 1, is characterized in that, described to described optical line terminal, send described first sign dense literary composition after, described method also comprises:
Receive the update request that described optical line terminal sends, described update request is used to indicate described coaxial network unit described the first session key is upgraded;
According to arbitrary the second session key between described coaxial network unit and described optical line terminal and described optical line terminal PKI and the dense literary composition of described coaxial network unit private key calculating the second label;
To described optical line terminal, send described second and sign dense literary composition, so that described optical line terminal is signed dense literary composition according to described second, described coaxial network unit is carried out to network access authentication for the second time;
When described coaxial network unit is by after the network access authentication for the second time of described optical line terminal, by described the first session key update, be described the second session key.
3. according to the method described in any one in claim 1 or 2, it is characterized in that, described method also comprises:
The message that sends the Media Access Control Address that includes described coaxial network unit to described optical line terminal, makes described optical line terminal obtain coaxial network unit PKI according to the Media Access Control Address of described coaxial network unit.
4. a method for safety certification, is applied to the ether passive light line system based on coaxial, it is characterized in that, comprising:
Receive the dense literary composition of the first label that coaxial network unit sends;
According to the Media Access Control Address of the coaxial network unit receiving, calculate coaxial network unit PKI;
According to described first, sign dense literary composition and described coaxial network unit PKI and optical line terminal private key described coaxial network unit carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
5. method according to claim 4, is characterized in that, after the described calculating of the Media Access Control Address according to the coaxial network unit receiving coaxial network unit PKI, described method also comprises:
According to described first, sign dense literary composition and described coaxial network unit PKI and optical line terminal private key and calculate described the first session key.
6. according to the method described in claim 4 or 5, it is characterized in that, before the described calculating of the coaxial network unit Media Access Control Address according to reception coaxial network unit PKI, described method also comprises:
Reception includes the message of the Media Access Control Address of described coaxial network unit, and from described message, obtains the Media Access Control Address of described coaxial network unit.
7. according to the method described in any one in claim 4 to 6, it is characterized in that, described described coaxial network unit is carried out to network access authentication after, if described coaxial network unit by described network access authentication, described method also comprises:
To described coaxial network unit, send update request, described update request is used to indicate described coaxial network unit described the first session key is upgraded;
Receive the dense literary composition of the second label that described coaxial network unit sends;
According to described second, signing dense literary composition and described coaxial network unit PKI and described optical line terminal private key calculates described the second session key and described coaxial network unit is carried out to network access authentication for the second time;
When described coaxial network unit is by after the network access authentication for the second time of described optical line terminal, by described the first session key update, be described the second session key.
8. a coaxial network unit, is characterized in that, comprising:
Receiver for obtaining message, and obtains the Media Access Control Address of optical line terminal from described message;
Processor, for the Media Access Control Address compute ray road terminal public key getting according to described receiver; According to arbitrary the first session key between institute's coaxial network unit and described optical line terminal and described optical line terminal PKI and the dense literary composition of coaxial network unit private key calculating the first label;
Transmitter, the dense literary composition of the first label calculating for send described processor to described optical line terminal, carries out network access authentication so that described optical line terminal is signed dense literary composition according to described first to described coaxial network unit.
9. coaxial network unit according to claim 8, is characterized in that, described receiver, and the update request also sending for receiving described optical line terminal, described update request is used to indicate described coaxial network unit described the first session key is upgraded;
Described processor, also signs dense literary composition for calculating second according to arbitrary the second session key between described coaxial network unit and optical line terminal and described optical line terminal PKI and described coaxial network unit private key; When described coaxial network unit is by after the network access authentication for the second time of described optical line terminal, by described the first session key update, be described the second session key;
Described transmitter, the dense literary composition of the second label also calculating for send described processor to described optical line terminal, carries out network access authentication for the second time so that described optical line terminal is signed dense literary composition according to described second to described coaxial network unit.
10. coaxial network unit according to claim 8 or claim 9, it is characterized in that, described transmitter, also, for send the message of the Media Access Control Address that includes described coaxial network unit to described optical line terminal, make described optical line terminal obtain coaxial network unit PKI according to the Media Access Control Address of described coaxial network unit.
11. 1 kinds of optical line terminals, is characterized in that, comprising:
Receiver, the dense literary composition of the first label sending for receiving coaxial network unit;
Processor, for calculating coaxial network unit PKI according to the Media Access Control Address of the coaxial network unit receiving; According to described first, sign dense literary composition and described coaxial network unit PKI and optical line terminal private key described coaxial network unit carried out to network access authentication, make optical line terminal and network access authentication by after coaxial network unit communicate.
12. optical line terminals according to claim 11, is characterized in that, described processor also calculates described the first session key for signing dense literary composition and described coaxial network unit PKI and optical line terminal private key according to described first.
13. according to the optical line terminal described in claim 11 or 12, it is characterized in that, described receiver also for receiving the message of the Media Access Control Address that includes described coaxial network unit, and obtains the Media Access Control Address of described coaxial network unit from described message.
14. according to claim 11 to the optical line terminal described in any one in 13, it is characterized in that, also comprises:
Transmitter, if pass through described network access authentication for described coaxial network unit, sends update request to described coaxial network unit, and described update request is used to indicate described coaxial network unit described the first session key is upgraded;
Described receiver, the dense literary composition of the second label also sending for receiving described coaxial network unit;
Described processor, also calculates described the second session key and described coaxial network unit is carried out to network access authentication for the second time for signing dense literary composition and described coaxial network unit PKI and described optical line terminal private key according to second of described receiver reception; When described coaxial network unit is by after the network access authentication for the second time of described optical line terminal, by described the first session key update, be described the second session key.
The system of 15. 1 kinds of safety certifications, is characterized in that, comprising: the optical line terminal described in the coaxial network unit described in claim 8 to 10 any one and claim 11 to 14 any one.
CN201280000849.8A 2012-06-21 2012-06-21 The methods, devices and systems of safety certification Active CN103609061B (en)

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/CN2012/077386 WO2013189083A1 (en) 2012-06-21 2012-06-21 Method, device and system for security authentication

Publications (2)

Publication Number Publication Date
CN103609061A true CN103609061A (en) 2014-02-26
CN103609061B CN103609061B (en) 2016-11-23

Family

ID=49768054

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201280000849.8A Active CN103609061B (en) 2012-06-21 2012-06-21 The methods, devices and systems of safety certification

Country Status (2)

Country Link
CN (1) CN103609061B (en)
WO (1) WO2013189083A1 (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090967A1 (en) * 2016-11-17 2018-05-24 深圳创维数字技术有限公司 Secure data transmission method and system based on eoc network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030194241A1 (en) * 2001-07-05 2003-10-16 Wave7 Optics, Inc. Method and system for providing a return data path for legacy terminals by using existing electrical waveguides of a structure
WO2008100003A1 (en) * 2007-02-16 2008-08-21 Ls Cable Ltd. Device and method for buffering data in the hybrid-fiber coaxial
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030194241A1 (en) * 2001-07-05 2003-10-16 Wave7 Optics, Inc. Method and system for providing a return data path for legacy terminals by using existing electrical waveguides of a structure
WO2008100003A1 (en) * 2007-02-16 2008-08-21 Ls Cable Ltd. Device and method for buffering data in the hybrid-fiber coaxial
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2018090967A1 (en) * 2016-11-17 2018-05-24 深圳创维数字技术有限公司 Secure data transmission method and system based on eoc network

Also Published As

Publication number Publication date
WO2013189083A1 (en) 2013-12-27
CN103609061B (en) 2016-11-23

Similar Documents

Publication Publication Date Title
CN111684760B (en) Cryptographic method and system for managing digital certificates
CN109600350B (en) System and method for secure communication between controllers in a vehicle network
CN104683112B (en) A kind of car car safety communicating method that certification is assisted based on RSU
CN102970299B (en) File safe protection system and method thereof
CN101662705B (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN102594558B (en) Anonymous digital certificate system and verification method of trustable computing environment
CA3211184A1 (en) Wireless access credential system
CN103532713B (en) Sensor authentication and shared key production method and system and sensor
CN107105060A (en) A kind of method for realizing electric automobile information security
CN108650028B (en) Multiple identity authentication system and method based on quantum communication network and true random number
KR101549034B1 (en) Method for guarantying the confidentiality and integrity of a data in Controller Area Networks
CN107040379B (en) Method for authentication by a controller of a vehicle
EP3750277A1 (en) Cryptographic methods and systems using blinded activation codes for digital certificate revocation
CN108964897B (en) Identity authentication system and method based on group communication
CN105873031A (en) Authentication and key negotiation method of distributed unmanned aerial vehicle based on trusted platform
CN103699920A (en) Radio frequency identification two-way authentication method based on ellipse curve
CN109005032B (en) Routing method and device
CN105262773A (en) A verification method and apparatus for an IOT system
Amin et al. An enhanced anonymity resilience security protocol for vehicular ad-hoc network with scyther simulation
CN108964895B (en) User-to-User identity authentication system and method based on group key pool and improved Kerberos
CN110212991B (en) Quantum wireless network communication system
WO2023279283A1 (en) Method for establishing secure vehicle communication, and vehicle, terminal and system
US20220191045A1 (en) Implementation of a butterfly key expansion scheme
CN116760614A (en) Zero-knowledge proof identity authentication scheme for Internet of vehicles based on blockchain and PUF technology
CN103609061A (en) Method, device and system for security authentication

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant