WO2006062345A1 - Method of distributing keys over epon - Google Patents

Method of distributing keys over epon Download PDF

Info

Publication number
WO2006062345A1
WO2006062345A1 PCT/KR2005/004168 KR2005004168W WO2006062345A1 WO 2006062345 A1 WO2006062345 A1 WO 2006062345A1 KR 2005004168 W KR2005004168 W KR 2005004168W WO 2006062345 A1 WO2006062345 A1 WO 2006062345A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
olt
onu
random value
frame
Prior art date
Application number
PCT/KR2005/004168
Other languages
French (fr)
Inventor
Jee-Sook Eun
Kyeong-Soo Han
Tae-Whan Yoo
Yool Kwon
Original Assignee
Electronics And Telecommunications Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020040102394A external-priority patent/KR20060063271A/en
Priority claimed from KR1020050103791A external-priority patent/KR100809393B1/en
Application filed by Electronics And Telecommunications Research Institute filed Critical Electronics And Telecommunications Research Institute
Priority to CN2005800419669A priority Critical patent/CN101073221B/en
Publication of WO2006062345A1 publication Critical patent/WO2006062345A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention relates to a key distribution method, and more particularly, to a method of distributing keys over an Ethernet passive optical network (EPON) without using a secure channel.
  • EPON Ethernet passive optical network
  • a key used for encryption is identical to a key used for decryption. For example, if an entity A uses a key K to encrypt a message, an entity B must use the key K to decrypt the message received from the entity A.
  • Encryption algorithms used in the symmetric-key encryption technique include Data Encryption Standard(DES) and Advanced Encryption Standard(AES) algorithms, which use 56-bit and 128-bit key lengths, respectively.
  • a longer key length provides stronger security but results in a longer message processing time. Given current processing technology, a key length of 128 bits or greater is sufficient for the symmetric-key encryption technique. Since messages can be quickly encrypted or decrypted using the symmetric-key algorithm, it is used for message security in most encryption modules.
  • N(N- 1)/2 keys are required.
  • a key distribution center for distributing keys is required within the communications network. The key distribution center distributes a key of a first entity to a second entity who desires to communicate with the first entity through a predetermined, secure channel. Further, since keys must be periodically replaced, the cost of distributing keys increases.
  • a key used for encryption and a key used for decryption are different.
  • an entity A uses a key K to encrypt a message
  • an entity B should use a key K ' to decrypt the message received from the entity A using a Ri vest- Shamir- Adleman (RSA) algorithm.
  • RSA Ri vest- Shamir- Adleman
  • the entity A creates the keys K and K ' and publicizes the key K to other entities on the communications network.
  • an entity desiring to communicate with the entity A encrypts a message using the key K and transmits the encrypted message to the entity A.
  • the keys K and K ' exist as a unique pair. Even though the key K is publicized, it is computationally impossible to determine the key K '. Unlike the symmetric-key encryption technique, in the public-key encryption technique, each entity requires two keys, and a secure channel is not required to distribute the key K . Thus, it is easier to distribute keys, and the number of keys to be distributed within the communications network can be reduced.
  • An encryption module and a key management module are required to apply security technology in a network layer.
  • the encryption module encrypts messages using an encryption algorithm.
  • the encryption module uses the symmetric-key encryption technique or the public -key encryption technique to encrypt messages using keys provided by the key management module.
  • the key management module manages keys to be provided to the encryption module. Key management involves creation, storage, distribution, updating and discard of keys.
  • the symmetric-key encryption technique is used, the key distribution center distributes keys using a secure channel.
  • the public-key encryption technique keys are distributed through an insecure channel. Disclosure of Invention
  • the present invention provides a method of safely distributing keys over an
  • Ethernet Passive Optical Network without using a secure channel, the method being applied to a data link layer.
  • a method of distributing keys over an EPON to generate a unicast secure channel including: exchanging first random valued respectively generated by an Optical Line Terminal (OLT) and an Optical Network Unit (ONU) between the OLT and the ONU; generating a Pair- wise Master Key (PMK ) based on the exchanged first random values and a pre-distributed master key using a hash function; exchanging second random values respectively generated by the OLT and the ONU between the OLT and the ONU; and generating a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function.
  • OLT Optical Line Terminal
  • ONU Optical Network Unit
  • [13] method of distributing keys on an EPON to generate a broadcast secure channel including: delivering a first random value generated by an OLT to an ONU; generating a PMK based on the delivered first random value and a pre- distributed master key using a hash function; transmitting a second random value generated by the OLT to the ONU; and generating a temporary key based on the delivered second random value, MAC addresses of the OLT and the ONU, and the PMK using the hash function.
  • a key distribution method according to the present invention is applied to an EPON for network security.
  • a key used by an encryption module can be safely and efficiently distributed using a key management module in each of an OLT and an ONU of the EPON.
  • Specific effects of the key distribution method according to embodiments of the present invention are as follows.
  • a separate secure channel for key distribution is not required since a PRF is used.
  • the PRF is a well-known one-way, collision-free hash function. When an output value is set larger than 160 bits, the PRF is cryptologically stable.
  • the present invention suggests a key distribution method using the PRF, thereby avoiding a direct key delivery over a channel. Since no separate secure channel is required, complexity of a key management module can be reduced.
  • a slow protocol is used.
  • the slow protocol uses a MAC frame in a data link layer. Therefore, the present invention, which uses the slow protocol, does not allow a key management frame to be intercepted by an attacker outside the EPON. Since the key management frame cannot be intercepted outside the EPON, it is safe within the EPON.
  • the slow protocol limits the maximum number of frames that can be transmitted per second to 10 and the frame length to 128 bytes. Therefore, frame transmission does not affect an amount of traffic in the EPON.
  • keys are distributed using a relatively simple protocol.
  • the present invention distributes keys using a key management protocol and involves five processes of requesting a key update, responding to a key update request, requesting key verification, responding to a key verification request, and confirming key verification.
  • Si nee information included in a frame to be transmitted is composed of a simple algorithm having simple input and output values, protocol complexity can be simplified.
  • the present invention is scalable.
  • a key management module can use the present invention independently of an encryption algorithm of an encryption module when the security technology is applied to a data link layer in a general network.
  • keys are automatically distributed according to a key distribution procedure.
  • a central control device that functions as a key distribution center, such as an OLT, is required.
  • FIG. 1 illustrates a block diagram illustrating the structure of an Ethernet passive optical network (EPON) to which the present invention is applied;
  • EPON Ethernet passive optical network
  • FIG. 2 is a flowchart illustrating a method of distributing keys on an EPON according to an embodiment of the present invention
  • FIG. 3 illustrates the structure of a conventional media access control (MAC) frame used in a data link layer
  • FIG. 4 illustrates the structure of a MAC frame used to distribute and manage keys according to an embodiment of the present invention
  • FIG. 5 illustrates the structure of an information key management frame according to an embodiment of the present invention
  • FIGS. 6A and 6B illustrate the structures of key management frames for requesting a key update according to embodiments of the present invention
  • FIGS. 7A and 7B illustrate the structures of key management frames for responding to a key update request according to embodiments of the present invention
  • FIG. 8 illustrates the structure of a key management frame for requesting key verification according to an embodiment of the present invention
  • FIG. 9 illustrates the structure of a key management frame for responding to a key verification request according to an embodiment of the present invention
  • FIG. 10 illustrates the structure of a key management frame for confirming key verification according to an embodiment of the present invention
  • FIG. 11 illustrates a procedure state in a key distribution method according to an embodiment of the present invention
  • FIG. 12 is a flowchart illustrating a key update method according to an embodiment of the present invention.
  • FIG. 13 is a flowchart illustrating a key update method according to another embodiment of the present invention.
  • a method of distributing keys over an EPON to generate a unicast secure channel including: exchanging first random valued respectively generated by an Optical Line Terminal (OLT) and an Optical Network Unit (ONU) between the OLT and the ONU; generating a Pair- wise Master Key (PMK ) based on the exchanged first random values and a pre-distributed master key using a hash function; exchanging second random values respectively generated by the OLT and the ONU between the OLT and the ONU; and generating a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function.
  • OLT Optical Line Terminal
  • ONU Optical Network Unit
  • [37] method of distributing keys on an EPON to generate a broadcast secure channel including: delivering a first random value generated by an OLT to an ONU; generating a PMK based on the delivered first random value and a pre- distributed master key using a hash function; transmitting a second random value generated by the OLT to the ONU; and generating a temporary key based on the delivered second random value, MAC addresses of the OLT and the ONU, and the PMK using the hash function.
  • FIG. 1 is a block diagram illustrating the structure of an Ethernet passive optical network (EPON) to which the present invention is applied.
  • the EPON has a point- to-multi point (P2MP) tree structure. If an asymmetric -key encryption technique is applied to the EPON, a faster operation of an encryption module may be guaranteed, but complexity of key distribution is unavoidable.
  • P2MP point-to-point
  • the EPON does not have a network structure. Logically, the EPON has a point-to-point (P2P) structure although it physically has a P2MP structure. In other words, all optical network units (ONUs) 110 through 1 IN are connected to a single optical line terminal (OLT) 100. Therefore, it is not necessary to distribute a plurality of keys to each entity as is required in the symmetric-key encryption technique.
  • each of the ONUs 110 through 1 IN requires only one key to communicate with the OLT 100.
  • the two ONUs 110 and 112 use the same key since the transmitted data must pass through the OLT 100.
  • Security technology used in the EPON is applied to a data link layer.
  • the number of keys required for encryption is identical to the number of channels set by the ONUs 110 through 1 IN to communicate with the OLT 100. Consequently, the number of keys required in the symmetric-key encryption technique is close to the number of keys distributed when a public-key encryption technique is used.
  • the OLT 100 can distribute keys to each of the ONUs 110 through 1 IN through a control process.
  • 'downward data' is broadcasted, and upward data transmitted from the ONUs 110 through 1 IN to the OLT (hereinafter, referred as 'upward data') is unicasted.
  • a key distribution method according to an embodiment of the present invention is a link security technology which is applied to the data link layer.
  • the key distribution method is used by the key management module.
  • the key management module may use the key distribution method when link security is implemented on the EPON.
  • the OLT 100 generates keys to be provided to the encryption module and distributes the generated keys to the ONUs 110 through 1 IN, or the ONUs 110 through 1 IN generates keys to be provided to the encryption module and distribute the generated keys to the OLT 100.
  • the generated keys are periodically updated, and a key distribution method is required for this. Keys must be distributed using the safest key distribution method possible.
  • Keys may be distributed using a secure channel provided by the encryption module or using a separate secure channel created by the key management module.
  • the key management module when the secure channel provided by the encryption module is used, if the encryption module operates only in one direction, that is, if data transmitted from the OLT 100 to the ONUs 110 through 1 IN is encrypted but data transmitted from the ONUs 110 through 1 IN to the OLT 100 is not encrypted, the key management module must create a separate secure channel.
  • the key management module creates a separate secure channel, it must include a module like the encryption module which uses an encryption algorithm and manage keys separately from those provided by the encryption module. Therefore, key management becomes considerably complicated.
  • FIG. 2 is a flowchart illustrating a method of distributing keys on an EPON according to an embodiment of the present invention.
  • an OLT generates a first random value Anonce and transmits the first random value Anonce to an ONU and the ONU also generates a first random value Bnonce and transmits the first random value Bnonce to the OLT.
  • the OLT generates the first random value Anonce and transmits the generated first random value Anonce to the ONU (S200).
  • Each of the OLT and the ONU executes a hash function on the first random value Anonce or Bnonce generated by itself, the random value Bnonce or Anonce received from each other and a pre-distributed and shared master key (MK), and generates a pairwise master key (PMK) (S210).
  • MK pre-distributed and shared master key
  • PMK pairwise master key
  • the MK is distributed to the OLT and the ONU before encryption is performed and may be distributed using various conventional methods.
  • the present invention uses a pseudo random function (PRF), which is a hash function, as an algorithm for generating keys.
  • PRF pseudo random function
  • the hash function has the following properties.
  • H(x) is easy to compute given H and x.
  • the OLT After the PMK is generated, the OLT generates a second random value Anonce and transmits the second random value Anonce to the ONU, and the ONU also generates a second random value Bnonce and transmits the second random value Bnonce to the OLT (S220). Alternatively, the OLT generates second random values Anonce and Bnonce and transmits the second random values Anonce and Bnonce to the ONU (S220).
  • the OLT executes a hash function using the second random value Anonce generated by itself, the second random value Bnonce received from the ONU or generated by itself, its MAC address, a MAC address of the ONU and the PMK, and generates a temporary key (TK) (S230).
  • the ONU also generates a TK using the method used by the OLT.
  • the TK is a session key.
  • a broadcast TK is divided into a broadcast key (BK) and an initial value (IV) for a broadcast secure channel.
  • a unicast TK is divided into an authentication key (AK), a secure association key (SAK), and an IV for a unicast secure channel.
  • AK authentication key
  • SAK secure association key
  • IV IV for a unicast secure channel.
  • the key distribution method according to the present embodiment described with reference to FIG. 2 can avoid directly delivering keys using a channel. Thus, a separate secure channel for delivering keys is not required.
  • a key is delivered through a secure channel, if a secure channel key is revealed to an attacker, a data encryption key is also revealed to the attacker.
  • embodiments of the present invention can avoid such risks.
  • the present embodiment is used in the data link layer, and thus uses frames which are generated and vanish between the OLT and the ONU.
  • a MAC frame which is generated and vanishes on the EPON is an OAM frame.
  • the key distribution method according to the present embodiment uses a slow protocol as used in an OAM protocol.
  • FIG. 3 illustrates the structure of a conventional MAC frame 300 used in the data link layer.
  • the conventional MAC frame 300 includes a destination address (DA) field 310, a source address (SA) field 320, a length/type field 330, a data/ pad field 340 for recording data, and an FCS field 350 for identifying frame errors.
  • DA destination address
  • SA source address
  • FCS FCS field
  • FIG. 4 illustrates the structure of a MAC frame 400 used to distribute and manage keys according to an embodiment of the present invention.
  • the MAC frame 400 includes a DA field 405, an SA field 410, a length/type field 415, a subtype field 420, a flag field 425, a code field 430, a data/pad field 435, and an FCS field 440.
  • the MAC frame 400 suitable for a key management protocol according to the present invention can be referred to as a key management frame, each field of which will now be described below.
  • the DA field 405 has a value of '01-80-C2-00-00-02,' and the length/type field 415 has a value of '80-09' indicating the slow protocol.
  • the subtype field 420 uses '4' out of 4-10, excluding 1-3 used conventionally.
  • the data/pad field 435 must have a minimum length of 43 bytes. Even when the maximum length of the MAC frame 400 is 1522 bytes, the data/pad field 435 of the key management frame, i.e., the MAC frame 400, can be extended only to 107 bytes since the maximum frame length used in the slow protocol is limited to 128 bytes.
  • the flag field 425 is composed of 1 byte, and the function of each bit is shown in FIG. 2 below. [77]
  • a set done bit is classified as a local set done bit and a remote set done bit. For example, when the OLT transmits the key management frame to the ONU, the local set done bit indicates encryption module information of the OLT, and the remote set done bit indicates encryption module information of the ONU.
  • the flag field 425 is included in all key management frames and is processed as first information of the key management frame.
  • the flag field 425 enables the key management module to quickly respond to changes in the encryption module that occur while the encryption module operates normally in a state where local and remote set done bits of the flag field 425 are '1.' In other words, when the values of the local set done bit and the remote set done bit are changed to 1 O,' the encryption module must be stopped.
  • a transmitting end When transmitting the key management frame, a transmitting end always has state information of an encryption module of a receiving end that its has in the remote set done of the key management frame and transmits the key management frame to a receiving end. Therefore, the receiving end can identify whether the transmitting end properly manages the state information of the encryption module of the receiving end based on the received key management frame.
  • the code field 430 is composed of 1 byte and indicates the type of the key management frame.
  • the types of key management frame according to code values are shown in Table 3.
  • FIG. 5 illustrates the structure of an information key management frame 500 according to an embodiment of the present invention.
  • the structure of the information key management frame 500 is identical to that of the key management frame, i.e., the MAC frame 400, of FIG. 4.
  • a value of a code field 530 is T (see Table 3) indicating the information key management frame 500.
  • a data/pad field 535 includes a local_config field 537 indicating configuration information of a key management module and a remote_config field 539 indicating configuration information of an encryption module.
  • the operating state bit shown in Table 4 indicates whether a current encryption module is actually operable on a system. In other words, when the operating state bit indicates 'on' and the remaining bits of the configuration information are synchronized with one another, the value of the set done bit of the flag field 525 can be '1.' However, when the encryption module does not operate and thus the operating state bit is set to 1 O,' the remaining bits of the configuration information are all set to 'null.'
  • the encryption mode bit shown in Table 4 indicates a function provided by the encryption module. Since the downward data is broadcast data and the upward data is unicast data in the case of the EPON, the upward data may sometimes not be encrypted or the downward data may sometimes not be encrypted. If security modules of the OLT and the ONU cannot be synchronized after the encryption mode information is processed, the set done bit of the flag field 525 is set to 1 O.'
  • the encryption algorithm bit shown in Table 4 indicates an algorithm used by the encryption module to encrypt or decrypt data.
  • all algorithms except for RSA are symmetric algorithms.
  • the encryption module may or may not have an independent module which operates a plurality of encryption modules. If the security modules of the OLT and the ONU cannot be synchronized after the encryption algorithm information is processed, the set done bit of the flag field 525 is set to 1 O.'
  • the key distribution algorithm bit shown in Table 4 indicates a key distribution method used by the key management module. Two algorithms are indicated in Table 4 as examples. However, when a separate encryption channel for key distribution is formed, the key distribution algorithm bit indicates algorithm information used by a key distribution encryption module.
  • the data/pad field 535 of the information key management frame 500 may be changed or a new key management frame may be defined and used.
  • the key distribution algorithm according to an embodiment of the present invention is a modified version of the Diffie-Hellman method and does not require a separate encryption channel. If the security modules of the OLT and the ONU cannot be synchronized after the key distribution algorithm information is processed, the set done bit of the flag field 525 is set to O.'
  • FIGS. 6A and 6B illustrate the structures of key management frames 600 for requesting a key update according to embodiments of the present invention.
  • the structure of the key management frame 600 for requesting the key update is identical to that of the key management frame 400 of FIG. 4.
  • a code field 630 has a value of '2' (see Table 3) indicating the key management frame 600.
  • a data/pad field 635 includes a key index field 637 indicating the type of a key to be updated and a Nonce field 639 indicating a random value exchanged for a key update.
  • the key management frame 600 illustrated in FIG. 6A or 6B is used to update the
  • the PMK is not used to encrypt data and thus has a relatively long update cycle.
  • the TK is used to encrypt data and thus constantly exposed to channels, it has a short update cycle.
  • the PMK must be periodically updated for security since it is used to update the TK, and a factor for generating the TK is exposed to channels.
  • the 600 for requesting the key update indicates the type (PMK or TK) of a key to be updated, and the Nonce field 639 includes a random value required to generate a key. For example, if the key index field 637 is 1 O,' the PMK should be updated. If the key index field 637 is '1,' the TK should be updated.
  • the key management frame 600 illustrated in FIG. 6 A is used to update a unicast key
  • the key management frame 600 illustrated in FIG. 6B is used to update a broadcast key.
  • the unicast key is used for P2P communication between the OLT and the ONU
  • the broadcast key is used for P2MP communication between the OLT and all the ONUs connected to the OLT. Since the broadcast key must be distributed to all the ONUs, it is generated using a random value generated by the OLT.
  • a transmitting end transmits the key management frame 600 for requesting the key update, it cannot generate a key until it receives a key management frame 700 for responding to a key update request (see FIGS. 7A or 7B) from a receiving end.
  • a key management module of the transmitting end receives the key management frame 700 in response to the key update request, it updates a key which is indicated by the key index field 637 of the key management frame 700 using a random value Anonce generated by itself and a random value Bnonce generated by the other end.
  • the OLT distributes the random value Bnonce as well, the ONU does not generate a random value.
  • FIGS. 7 A and 7B illustrate the structure of the key management frame 700 for responding to the key update request according to embodiments of the present invention.
  • the structure of the key management frame 700 for responding to the key update request is identical to that of the key management frame 600 for requesting the key update of FIG. 6.
  • a code field 730 has a value of '3' (see Table 3) indicating the key management frame 700.
  • the key management frame 700 is transmitted only after the key management frame 600 for requesting the key update is received.
  • a key index field 737 of a data/ pad field 735 of the key management frame 700 for responding to the key update request indicates the type of key (for example, 0: PMK, 1: TK), and a Nonce field 739 indicates a value required to generate a key.
  • the key management module of the transmitting end After transmitting the key management frame 700 in response to the key update request, the key management module of the transmitting end updates a target key using a random value Anonce of the key management frame 600 for requesting the key update and a random value Bnonce generated by itself.
  • FIG. 8 illustrates the structure of a key management frame 800 for requesting key verification according to an embodiment of the present invention.
  • the structure of the key management frame 800 for requesting the key verification is identical to that of the key management frame 400 of FIG. 4.
  • a code field 830 has a value of '4' (see Table 3) indicating the key management frame 800.
  • a data field 835 includes a key index 836 indicating the type of a key to be verified, and Anonce and Nonce fields 837 and 838 indicating data required for key verification.
  • the key management frame 800 for requesting the key verification includes the key index 836 of the key to be verified and random values which are indicated by the Anonce and Bnonce fields 837 and 838 and used to generate the key.
  • a verification key (VK) used for key verification is given by
  • VK PRF (Anonce II Bnonce H K), ...(2)
  • Ki indicates the type of a key to be verified (i: (0) AK, (1) BK, (2) SAK).
  • the key management module of the transmitting end generates the VK after transmitting the key management frame 800 for requesting the key verification and waits for a key management frame 900 in response to the key verification request (see FIG. 9).
  • FIG. 9 illustrates the structure of the key management frame 900 for responding to the key verification request according to an embodiment of the present invention.
  • the structure of the key management frame 900 for responding to the key verification request is identical to that of the key management frame 400 of FIG. 4.
  • a code field 930 has a value of '5' (see Table 3) indicating the key management frame 900.
  • the key management frame 900 for responding to the key verification request is transmitted together with a factor that can generate the VK. Therefore, the key management module of the receiving end which receives the key management frame 900 in response to the key verification request generates a key management frame for confirming key verification 1000 (see FIG. 10) and transmits the key management frame for confirming key verification 1000 including a key index field 937 of a key to be verified and a Y field 939 indicating a generated VK.
  • the VK is generated using Equation 2.
  • FIG. 10 illustrates the structure of the key management frame 1000 for confirming the key verification according to an embodiment of the present invention.
  • the structure of the key management frame 1000 for confirming the key verification is identical to that of the key management frame 400 of FIG. 4.
  • a code field 1030 has a value of '6' (see Table 3) indicating the key management frame 1000.
  • an end which requests the verification of the key must transmit the verification result to a receiving end. If the key is updated and then verified, the verification result must be checked. However, if the key is updated without verification, it is not necessary to transmit the key management frame 1000 for confirming the key verification.
  • the transmitting end After the transmitting end, which transmitted the key management frame 800 for requesting the key verification, receives the key management frame 900 in response to the key verification request from the receiving end, the transmitting end transmits the key management frame 1000 for confirming the key verification to the receiving end. If a verification result value in the key management frame 1000 received by the receiving end indicates that the key has not been verified, the key is not updated.
  • FIG. 11 illustrates a procedure transition in a key distribution method according to an embodiment of the present invention.
  • the key distribution procedure includes a key update procedure 1100, a key distribution procedure 1110, and a key verification procedure 1120.
  • the key update procedure 1100 When a key update cycle is performed, the key update procedure 1100 generates a key and executes the key distribution procedure 1110 to distribute the generated key.
  • the key distribution procedure 1110 distributes the generated key and executes the key verification procedure 1120 after finishing the key distribution. After verifying the generated key, the key verification procedure 1120 executes the key update procedure 1110. Then, the key update procedure 1100 updates the verified key.
  • FIG. 12 is a flowchart illustrating a key update method according to an embodiment of the present invention.
  • a key update timer is started (S 1200).
  • an end which distributes the key (the OLT or the ONU, hereinafter referred to as a transmitting end) transmits the key management frame 600 for requesting the key update to the other end (the OLT or the ONU, hereinafter referred to as a receiving end) (S 1210).
  • the transmitting end receives the key management frame 700 for responding to the key update request from the receiving end (S 1215). Then, the transmitting end generates the key management frame 800 for requesting the key verification and transmits the key management frame 800 for requesting the key verification to the receiving end (S 1220).
  • the transmitting end In response to the key management frame 800 for requesting the key verification, the transmitting end receives the key management frame 900 for responding to the key verification request from the receiving end (S 1225). Then, the transmitting end examines the key management frame 900 for responding to the key verification request and determines whether the key is successfully verified (S 1230). If the key is successfully verified, the transmitting end transmits the key management frame 1000 for confirming the key verification to the receiving end, and then the key is updated (S1235).
  • FIG. 13 is a flowchart illustrating a key update method according to another embodiment of the present invention. While the flowchart of FIG. 12 illustrates a key update method from the perspective of an end which requests a key update, the flowchart of FIG. 13 illustrates a key update method from the perspective of an end receiving a request for a key update.
  • the 600 for requesting the key update (S 1300), it generates the key management frame 700 for responding to the key update request and transmits the key management frame 700 for responding to the key update request to a transmitting end (S 1305).
  • the receiving end receives the key management frame 800 for requesting the key verification, it generates the key management frame 900 for responding to the key verification request and transmits the key management frame 900 for responding to the key verification request to the transmitting end (S 1315).
  • the receiving end receives the key management frame 1000 for confirming the key verification, it updates a key (S 1325).
  • a key distribution method according to the present invention is applied to an
  • a key used by an encryption module can be safely and efficiently distributed using a key management module in each of an OLT and an ONU of the EPON.

Abstract

Provided is a key distribution method of applying link security technology to an Ethernet passive optical network (EPON). An optical line terminal (OLT) and an optical network unit (ONU) respectively generate first random values and exchange the first random values with each other. The OLT and the ONU generate a pairwise master key (PMK) based on the exchanged first random values and a pre-distributed master key using a hash function. The OLT and the ONU respectively generate second random values and exchange the second random values with each other. The OLT and the ONU generate a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function. Therefore, keys can be safely distributed over the EPON without using a separate secure channel.

Description

Description
METHOD OF DISTRIBUTING KEYS OVER EPON
Technical Field
[1] The present invention relates to a key distribution method, and more particularly, to a method of distributing keys over an Ethernet passive optical network (EPON) without using a secure channel.
Background Art
[2] When an entity A transmits a message to an entity B on a communications network, an unauthorized user may access and use the message being transmitted. If such a risk is present, encryption must be used to assure the security of the message. Generally, encryption techniques used for security are divided into symmetric-key encryption techniques and public-key encryption techniques. The two encryption techniques use very different encryption algorithms and distribute keys in different ways.
[3] In the symmetric-key encryption technique, a key used for encryption is identical to a key used for decryption. For example, if an entity A uses a key K to encrypt a message, an entity B must use the key K to decrypt the message received from the entity A. Encryption algorithms used in the symmetric-key encryption technique include Data Encryption Standard(DES) and Advanced Encryption Standard(AES) algorithms, which use 56-bit and 128-bit key lengths, respectively.
[4] A longer key length provides stronger security but results in a longer message processing time. Given current processing technology, a key length of 128 bits or greater is sufficient for the symmetric-key encryption technique. Since messages can be quickly encrypted or decrypted using the symmetric-key algorithm, it is used for message security in most encryption modules.
[5] However, since each pair of entities desiring to communicate with each other must have identical unique keys, if there are N entities on a communications network, N(N- 1)/2 keys are required. Also, a key distribution center for distributing keys is required within the communications network. The key distribution center distributes a key of a first entity to a second entity who desires to communicate with the first entity through a predetermined, secure channel. Further, since keys must be periodically replaced, the cost of distributing keys increases.
[6] In the public-key encryption technique, a key used for encryption and a key used for decryption are different. For example, if an entity A uses a key K to encrypt a message, an entity B should use a key K ' to decrypt the message received from the entity A using a Ri vest- Shamir- Adleman (RSA) algorithm. Here, the entity A creates the keys K and K ' and publicizes the key K to other entities on the communications network. Hence, an entity desiring to communicate with the entity A encrypts a message using the key K and transmits the encrypted message to the entity A.
[7] The keys K and K ' exist as a unique pair. Even though the key K is publicized, it is computationally impossible to determine the key K '. Unlike the symmetric-key encryption technique, in the public-key encryption technique, each entity requires two keys, and a secure channel is not required to distribute the key K . Thus, it is easier to distribute keys, and the number of keys to be distributed within the communications network can be reduced.
[8] However, a key length of 1024 bits or greater is required to assure the security of messages encrypted using the RSA algorithm. Accordingly, it takes a long time to encrypt or decrypt messages using the RSA algorithm. Thus, the RSA algorithm is hardly used as a message security algorithm in the communications networks.
[9] An encryption module and a key management module are required to apply security technology in a network layer. The encryption module encrypts messages using an encryption algorithm. The encryption module uses the symmetric-key encryption technique or the public -key encryption technique to encrypt messages using keys provided by the key management module. The key management module manages keys to be provided to the encryption module. Key management involves creation, storage, distribution, updating and discard of keys. When the symmetric-key encryption technique is used, the key distribution center distributes keys using a secure channel. When the public-key encryption technique is used, keys are distributed through an insecure channel. Disclosure of Invention
Technical Problem
[10] The present invention provides a method of safely distributing keys over an
Ethernet Passive Optical Network (EPON) without using a secure channel, the method being applied to a data link layer.
Technical Solution
[11] According to an aspect of the present invention, there is provided a method of distributing keys over an EPON to generate a unicast secure channel, the method including: exchanging first random valued respectively generated by an Optical Line Terminal (OLT) and an Optical Network Unit (ONU) between the OLT and the ONU; generating a Pair- wise Master Key (PMK ) based on the exchanged first random values and a pre-distributed master key using a hash function; exchanging second random values respectively generated by the OLT and the ONU between the OLT and the ONU; and generating a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function.
[12] According to another aspect of the present invention, there is provided a
[13] method of distributing keys on an EPON to generate a broadcast secure channel , the method including: delivering a first random value generated by an OLT to an ONU; generating a PMK based on the delivered first random value and a pre- distributed master key using a hash function; transmitting a second random value generated by the OLT to the ONU; and generating a temporary key based on the delivered second random value, MAC addresses of the OLT and the ONU, and the PMK using the hash function.
[14] Therefore, keys can be safely distributed over the EPON without using a separate secure channel.
Advantageous Effects
[15] As described above, a key distribution method according to the present invention is applied to an EPON for network security. Thus, a key used by an encryption module can be safely and efficiently distributed using a key management module in each of an OLT and an ONU of the EPON. Specific effects of the key distribution method according to embodiments of the present invention are as follows.
[16] First, a separate secure channel for key distribution is not required since a PRF is used. The PRF is a well-known one-way, collision-free hash function. When an output value is set larger than 160 bits, the PRF is cryptologically stable. The present invention suggests a key distribution method using the PRF, thereby avoiding a direct key delivery over a channel. Since no separate secure channel is required, complexity of a key management module can be reduced.
[17] Second, a slow protocol is used. The slow protocol uses a MAC frame in a data link layer. Therefore, the present invention, which uses the slow protocol, does not allow a key management frame to be intercepted by an attacker outside the EPON. Since the key management frame cannot be intercepted outside the EPON, it is safe within the EPON. In addition, the slow protocol limits the maximum number of frames that can be transmitted per second to 10 and the frame length to 128 bytes. Therefore, frame transmission does not affect an amount of traffic in the EPON.
[18] Third, keys are distributed using a relatively simple protocol. The present invention distributes keys using a key management protocol and involves five processes of requesting a key update, responding to a key update request, requesting key verification, responding to a key verification request, and confirming key verification. Si nee information included in a frame to be transmitted is composed of a simple algorithm having simple input and output values, protocol complexity can be simplified.
[19] Last but not least, the present invention is scalable. In other words, a key management module can use the present invention independently of an encryption algorithm of an encryption module when the security technology is applied to a data link layer in a general network. When devices are installed on a network and a master key is set, keys are automatically distributed according to a key distribution procedure. To apply the present invention to a shared local area network (LAN) having a network structure, a central control device that functions as a key distribution center, such as an OLT, is required.
[20] While the present invention has been particularly shown and described with reference to exemplary embodiments thereof, it will be understood by those of ordinary skill in the art that various changes in form and details may be made therein without departing from the spirit and scope of the present invention as defined by the following claims.
Description of Drawings
[21] The above and other features and advantages of the present invention will become more apparent by describing in detail exemplary embodiments thereof with reference to the attached drawings in which:
[22] FIG. 1 illustrates a block diagram illustrating the structure of an Ethernet passive optical network (EPON) to which the present invention is applied;
[23] FIG. 2 is a flowchart illustrating a method of distributing keys on an EPON according to an embodiment of the present invention;
[24] FIG. 3 illustrates the structure of a conventional media access control (MAC) frame used in a data link layer;
[25] FIG. 4 illustrates the structure of a MAC frame used to distribute and manage keys according to an embodiment of the present invention;
[26] FIG. 5 illustrates the structure of an information key management frame according to an embodiment of the present invention;
[27] FIGS. 6A and 6B illustrate the structures of key management frames for requesting a key update according to embodiments of the present invention;
[28] FIGS. 7A and 7B illustrate the structures of key management frames for responding to a key update request according to embodiments of the present invention;
[29] FIG. 8 illustrates the structure of a key management frame for requesting key verification according to an embodiment of the present invention;
[30] FIG. 9 illustrates the structure of a key management frame for responding to a key verification request according to an embodiment of the present invention;
[31] FIG. 10 illustrates the structure of a key management frame for confirming key verification according to an embodiment of the present invention;
[32] FIG. 11 illustrates a procedure state in a key distribution method according to an embodiment of the present invention; [33] FIG. 12 is a flowchart illustrating a key update method according to an embodiment of the present invention; and
[34] FIG. 13 is a flowchart illustrating a key update method according to another embodiment of the present invention.
Best Mode
[35] According to an aspect of the present invention, there is provided a method of distributing keys over an EPON to generate a unicast secure channel, the method including: exchanging first random valued respectively generated by an Optical Line Terminal (OLT) and an Optical Network Unit (ONU) between the OLT and the ONU; generating a Pair- wise Master Key (PMK ) based on the exchanged first random values and a pre-distributed master key using a hash function; exchanging second random values respectively generated by the OLT and the ONU between the OLT and the ONU; and generating a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function.
[36] According to another aspect of the present invention, there is provided a
[37] method of distributing keys on an EPON to generate a broadcast secure channel , the method including: delivering a first random value generated by an OLT to an ONU; generating a PMK based on the delivered first random value and a pre- distributed master key using a hash function; transmitting a second random value generated by the OLT to the ONU; and generating a temporary key based on the delivered second random value, MAC addresses of the OLT and the ONU, and the PMK using the hash function.
[38] Therefore, keys can be safely distributed over the EPON without using a separate secure channel.
Mode for Invention
[39] The present invention will now be described more fully with reference to the accompanying drawings, in which exemplary embodiments of the invention are shown. The invention may, however, be embodied in many different forms and should not be construed as being limited to the embodiments set forth therein; rather, these embodiments are provided so that this disclosure will be thorough and complete, and will fully convey the concept of the invention to those skilled in the art.
[40] FIG. 1 is a block diagram illustrating the structure of an Ethernet passive optical network (EPON) to which the present invention is applied. The EPON has a point- to-multi point (P2MP) tree structure. If an asymmetric -key encryption technique is applied to the EPON, a faster operation of an encryption module may be guaranteed, but complexity of key distribution is unavoidable. [41] However, the EPON does not have a network structure. Logically, the EPON has a point-to-point (P2P) structure although it physically has a P2MP structure. In other words, all optical network units (ONUs) 110 through 1 IN are connected to a single optical line terminal (OLT) 100. Therefore, it is not necessary to distribute a plurality of keys to each entity as is required in the symmetric-key encryption technique.
[42] That is, each of the ONUs 110 through 1 IN requires only one key to communicate with the OLT 100. When the ONU 110 communicates with another ONU 112, the two ONUs 110 and 112 use the same key since the transmitted data must pass through the OLT 100. Security technology used in the EPON is applied to a data link layer.
[43] Therefore, even when the symmetric-key encryption technique is used in the
EPON, the number of keys required for encryption is identical to the number of channels set by the ONUs 110 through 1 IN to communicate with the OLT 100. Consequently, the number of keys required in the symmetric-key encryption technique is close to the number of keys distributed when a public-key encryption technique is used. On the EPON, the OLT 100 can distribute keys to each of the ONUs 110 through 1 IN through a control process.
[44] On the EPON, data transmitted from the OLT 100 down to the ONUs 110 through
1 IN (hereinafter, referred to as 'downward data') is broadcasted, and upward data transmitted from the ONUs 110 through 1 IN to the OLT (hereinafter, referred as 'upward data') is unicasted.
[45] Even when the downward data is transmitted to a single destination, there is virtually no way to prevent the downward data from being broadcasted. Therefore, the downward data can be transmitted to an unintended or unauthorized ONU. This is where security is required to protect messages or prevent an unauthorized user from accessing and using data on the EPON.
[46] To apply the security technology to the EPON, an encryption module which encrypts messages and a key management module which provides keys to the encryption module are required . A key distribution method according to an embodiment of the present invention is a link security technology which is applied to the data link layer. In addition, the key distribution method is used by the key management module. The key management module may use the key distribution method when link security is implemented on the EPON.
[47] The OLT 100 generates keys to be provided to the encryption module and distributes the generated keys to the ONUs 110 through 1 IN, or the ONUs 110 through 1 IN generates keys to be provided to the encryption module and distribute the generated keys to the OLT 100. For security, the generated keys are periodically updated, and a key distribution method is required for this. Keys must be distributed using the safest key distribution method possible. [48] Keys may be distributed using a secure channel provided by the encryption module or using a separate secure channel created by the key management module. However, when the secure channel provided by the encryption module is used, if the encryption module operates only in one direction, that is, if data transmitted from the OLT 100 to the ONUs 110 through 1 IN is encrypted but data transmitted from the ONUs 110 through 1 IN to the OLT 100 is not encrypted, the key management module must create a separate secure channel.
[49] However, if the key management module creates a separate secure channel, it must include a module like the encryption module which uses an encryption algorithm and manage keys separately from those provided by the encryption module. Therefore, key management becomes considerably complicated.
[50] The best way to avoid this problem is not to use a secure channel for key distribution. Taking this into consideration, the present invention suggests a method of safely distributing keys on the EPON without using a separate secure channel.
[51] FIG. 2 is a flowchart illustrating a method of distributing keys on an EPON according to an embodiment of the present invention. Referring to FIG. 2, an OLT generates a first random value Anonce and transmits the first random value Anonce to an ONU and the ONU also generates a first random value Bnonce and transmits the first random value Bnonce to the OLT. Alternatively, only the OLT generates the first random value Anonce and transmits the generated first random value Anonce to the ONU (S200). Each of the OLT and the ONU executes a hash function on the first random value Anonce or Bnonce generated by itself, the random value Bnonce or Anonce received from each other and a pre-distributed and shared master key (MK), and generates a pairwise master key (PMK) (S210).
[52] The MK is distributed to the OLT and the ONU before encryption is performed and may be distributed using various conventional methods. The present invention uses a pseudo random function (PRF), which is a hash function, as an algorithm for generating keys. The hash function has the following properties.
[53]
1. An input bitstream x of any length is converted into an output bitstream H
[54] (x) of a fixed length.
[55]
1. H(x) is easy to compute given H and x.
2. Given an output, it is computationally infeasible to find an input value.
3. Given an input, it is computationally infeasible to find another input that [56] produces the same output.
[57] 5. It is computationally infeasible to find any two different inputs that produce the same output. [58] When an output value longer than 160 bits is produced using this one-way and collision-free PRF, it is difficult to find a key, even through a brute-force attack. Thus, the PRF is highly secure. Here, the brute-force attack is an attack in which all possible numbers are substituted to find a key value. In this case, an attacker has to make an average of 2 attempts to find a key.
[59] After the PMK is generated, the OLT generates a second random value Anonce and transmits the second random value Anonce to the ONU, and the ONU also generates a second random value Bnonce and transmits the second random value Bnonce to the OLT (S220). Alternatively, the OLT generates second random values Anonce and Bnonce and transmits the second random values Anonce and Bnonce to the ONU (S220). The OLT executes a hash function using the second random value Anonce generated by itself, the second random value Bnonce received from the ONU or generated by itself, its MAC address, a MAC address of the ONU and the PMK, and generates a temporary key (TK) (S230). The ONU also generates a TK using the method used by the OLT.
[60] The TK is a session key. A broadcast TK is divided into a broadcast key (BK) and an initial value (IV) for a broadcast secure channel. A unicast TK is divided into an authentication key (AK), a secure association key (SAK), and an IV for a unicast secure channel. The functions of each key are shown in Table 1 below.
[61] Table 1 [62]
Figure imgf000010_0001
[63] Based on the following equation, keys can be generated using the PRF. [64] PMK=PRF (Anonce II Bnonce II MK) [65] TK=PRF (Anonce II Bnonce II Aaddr II Baddr II PMK), ...(1) [66] where PMK has 16 bytes, Anonce is a 16-byte random value generated by A, Bnonce is a 16-byte random value generated by B, TK has 64 bytes, Aaddr is a 6-byte MAC address of A, and Baddr is a 6-byte MAC address of B.
[67] The key distribution method according to the present embodiment described with reference to FIG. 2 can avoid directly delivering keys using a channel. Thus, a separate secure channel for delivering keys is not required. When the key distribution method is not used and a key is delivered through a secure channel, if a secure channel key is revealed to an attacker, a data encryption key is also revealed to the attacker. Hence, there always exist such dual risks in such a system. However, embodiments of the present invention can avoid such risks.
[68] Even when the TK is revealed to an attacker, the PMK, which generates the TK, is not revealed. Hence, an updated TK can be used safely. In addition, since the PMK, which is rarely revealed, is periodically updated, it is even more secure. Further, since the MK, from which keys are generated, is never exposed to a channel, it offers the highest security.
[69] The present embodiment is used in the data link layer, and thus uses frames which are generated and vanish between the OLT and the ONU. A MAC frame which is generated and vanishes on the EPON is an OAM frame. The key distribution method according to the present embodiment uses a slow protocol as used in an OAM protocol.
[70] Hereinafter, MAC frames used in embodiments of the present invention will be described with reference to FIGS. 3 through 10.
[71] FIG. 3 illustrates the structure of a conventional MAC frame 300 used in the data link layer. Referring to FIG. 3, the conventional MAC frame 300 includes a destination address (DA) field 310, a source address (SA) field 320, a length/type field 330, a data/ pad field 340 for recording data, and an FCS field 350 for identifying frame errors.
[72] FIG. 4 illustrates the structure of a MAC frame 400 used to distribute and manage keys according to an embodiment of the present invention. Referring to FIG. 4, the MAC frame 400 includes a DA field 405, an SA field 410, a length/type field 415, a subtype field 420, a flag field 425, a code field 430, a data/pad field 435, and an FCS field 440.
[73] The MAC frame 400 suitable for a key management protocol according to the present invention can be referred to as a key management frame, each field of which will now be described below.
[74] According to a slow protocol, the DA field 405 has a value of '01-80-C2-00-00-02,' and the length/type field 415 has a value of '80-09' indicating the slow protocol. The subtype field 420 uses '4' out of 4-10, excluding 1-3 used conventionally.
[75] Since a minimum length of the MAC frame 300 of FIG. 3 is 64 bytes, the data/pad field 435 must have a minimum length of 43 bytes. Even when the maximum length of the MAC frame 400 is 1522 bytes, the data/pad field 435 of the key management frame, i.e., the MAC frame 400, can be extended only to 107 bytes since the maximum frame length used in the slow protocol is limited to 128 bytes.
[76] The flag field 425 is composed of 1 byte, and the function of each bit is shown in FIG. 2 below. [77]
Figure imgf000012_0001
[78] A set done bit is classified as a local set done bit and a remote set done bit. For example, when the OLT transmits the key management frame to the ONU, the local set done bit indicates encryption module information of the OLT, and the remote set done bit indicates encryption module information of the ONU.
[79] When a value of the set done bit is zero, no encryption module is available or operable since encryption settings of the OLT and the ONU do not match. When no encryption module is available, the key management module may or may not be available. In other words, when the key management module is not available, there is no response to a request for key management. When the key management module is available but the encryption module is not operable, the set done bit is set to 1O,' and the remaining bits are set to 'null.' Since both cases indicate that the encryption module is not properly operable, they are processed the same, that is, as '0.'
[80] When the value of the set done bit is 1, the encryption module is available and the encryption module is operable since the encryption settings of the OLT and the ONU match. Therefore, when the values of the local set done bit and the remote set done are both '1,' the encryption module can operate.
[81] The flag field 425 is included in all key management frames and is processed as first information of the key management frame. The flag field 425 enables the key management module to quickly respond to changes in the encryption module that occur while the encryption module operates normally in a state where local and remote set done bits of the flag field 425 are '1.' In other words, when the values of the local set done bit and the remote set done bit are changed to 1O,' the encryption module must be stopped.
[82] When transmitting the key management frame, a transmitting end always has state information of an encryption module of a receiving end that its has in the remote set done of the key management frame and transmits the key management frame to a receiving end. Therefore, the receiving end can identify whether the transmitting end properly manages the state information of the encryption module of the receiving end based on the received key management frame.
[83] The code field 430 is composed of 1 byte and indicates the type of the key management frame. The types of key management frame according to code values are shown in Table 3.
[84]
Figure imgf000013_0001
[85] FIG. 5 illustrates the structure of an information key management frame 500 according to an embodiment of the present invention. Referring to FIG. 5, the structure of the information key management frame 500 is identical to that of the key management frame, i.e., the MAC frame 400, of FIG. 4. However, in the information key management frame 500, a value of a code field 530 is T (see Table 3) indicating the information key management frame 500. In addition, a data/pad field 535 includes a local_config field 537 indicating configuration information of a key management module and a remote_config field 539 indicating configuration information of an encryption module.
[86] The configuration information recorded in the data/pad field 535 is shown in Table 4 below.
[87] Table 4 [88]
Figure imgf000014_0001
[89] When no encryption module is available, if a value of the set done bit of a flag field 525 is 1O,' all of the configuration information is set to 'null.' However, when the encryption module is available but does not operate, even if the value of the set done bit of the flag field 525 is '0,' all of the configuration information is filled with a corresponding value when the operating state bit of the configuration information indicates 'on.'
[90] The operating state bit shown in Table 4 indicates whether a current encryption module is actually operable on a system. In other words, when the operating state bit indicates 'on' and the remaining bits of the configuration information are synchronized with one another, the value of the set done bit of the flag field 525 can be '1.' However, when the encryption module does not operate and thus the operating state bit is set to 1O,' the remaining bits of the configuration information are all set to 'null.'
[91] The encryption mode bit shown in Table 4 indicates a function provided by the encryption module. Since the downward data is broadcast data and the upward data is unicast data in the case of the EPON, the upward data may sometimes not be encrypted or the downward data may sometimes not be encrypted. If security modules of the OLT and the ONU cannot be synchronized after the encryption mode information is processed, the set done bit of the flag field 525 is set to 1O.'
[92] The encryption algorithm bit shown in Table 4 indicates an algorithm used by the encryption module to encrypt or decrypt data. In Table 4, all algorithms except for RSA are symmetric algorithms. The encryption module may or may not have an independent module which operates a plurality of encryption modules. If the security modules of the OLT and the ONU cannot be synchronized after the encryption algorithm information is processed, the set done bit of the flag field 525 is set to 1O.'
[93] The key distribution algorithm bit shown in Table 4 indicates a key distribution method used by the key management module. Two algorithms are indicated in Table 4 as examples. However, when a separate encryption channel for key distribution is formed, the key distribution algorithm bit indicates algorithm information used by a key distribution encryption module.
[94] When a separate encryption channel for key distribution is formed, the data/pad field 535 of the information key management frame 500 may be changed or a new key management frame may be defined and used. However, the key distribution algorithm according to an embodiment of the present invention is a modified version of the Diffie-Hellman method and does not require a separate encryption channel. If the security modules of the OLT and the ONU cannot be synchronized after the key distribution algorithm information is processed, the set done bit of the flag field 525 is set to O.'
[95] FIGS. 6A and 6B illustrate the structures of key management frames 600 for requesting a key update according to embodiments of the present invention. Referring to FIG. 6A, the structure of the key management frame 600 for requesting the key update is identical to that of the key management frame 400 of FIG. 4. However, a code field 630 has a value of '2' (see Table 3) indicating the key management frame 600. In addition, a data/pad field 635 includes a key index field 637 indicating the type of a key to be updated and a Nonce field 639 indicating a random value exchanged for a key update.
[96] An encrypted message is always vulnerable to attackers. Thus, when the encrypted message is intercepted by an attacker, a key used to encrypt the stolen message can be revealed. Hence, the key used for encryption must be periodically changed for security.
[97] The key management frame 600 illustrated in FIG. 6A or 6B is used to update the
TK and the PMK, which must be periodically updated. The PMK is not used to encrypt data and thus has a relatively long update cycle. However, since the TK is used to encrypt data and thus constantly exposed to channels, it has a short update cycle.
[98] Here, although not used for data encryption, the PMK must be periodically updated for security since it is used to update the TK, and a factor for generating the TK is exposed to channels.
[99] The key index field 637 of the data/pad field 635 of the key management frame
600 for requesting the key update indicates the type (PMK or TK) of a key to be updated, and the Nonce field 639 includes a random value required to generate a key. For example, if the key index field 637 is 1O,' the PMK should be updated. If the key index field 637 is '1,' the TK should be updated.
[100] The key management frame 600 illustrated in FIG. 6 A is used to update a unicast key, and the key management frame 600 illustrated in FIG. 6B is used to update a broadcast key. The unicast key is used for P2P communication between the OLT and the ONU, and the broadcast key is used for P2MP communication between the OLT and all the ONUs connected to the OLT. Since the broadcast key must be distributed to all the ONUs, it is generated using a random value generated by the OLT.
[101] When a transmitting end transmits the key management frame 600 for requesting the key update, it cannot generate a key until it receives a key management frame 700 for responding to a key update request (see FIGS. 7A or 7B) from a receiving end. When a key management module of the transmitting end receives the key management frame 700 in response to the key update request, it updates a key which is indicated by the key index field 637 of the key management frame 700 using a random value Anonce generated by itself and a random value Bnonce generated by the other end. When generating the broadcast key, since the OLT distributes the random value Bnonce as well, the ONU does not generate a random value.
[102] FIGS. 7 A and 7B illustrate the structure of the key management frame 700 for responding to the key update request according to embodiments of the present invention. Referring to FIG. 7A, the structure of the key management frame 700 for responding to the key update request is identical to that of the key management frame 600 for requesting the key update of FIG. 6. However, a code field 730 has a value of '3' (see Table 3) indicating the key management frame 700.
[103] The key management frame 700 is transmitted only after the key management frame 600 for requesting the key update is received. A key index field 737 of a data/ pad field 735 of the key management frame 700 for responding to the key update request indicates the type of key (for example, 0: PMK, 1: TK), and a Nonce field 739 indicates a value required to generate a key.
[104] After transmitting the key management frame 700 in response to the key update request, the key management module of the transmitting end updates a target key using a random value Anonce of the key management frame 600 for requesting the key update and a random value Bnonce generated by itself.
[105] FIG. 8 illustrates the structure of a key management frame 800 for requesting key verification according to an embodiment of the present invention. Referring to FIG. 8, the structure of the key management frame 800 for requesting the key verification is identical to that of the key management frame 400 of FIG. 4. However, a code field 830 has a value of '4' (see Table 3) indicating the key management frame 800. A data field 835 includes a key index 836 indicating the type of a key to be verified, and Anonce and Nonce fields 837 and 838 indicating data required for key verification.
[106] Even when a key is updated using the key management frames 600 and 700, whether the key is accurately delivered must be delivered since the key in an embodiment of the present invention is not directly delivered.
[107] The key management frame 800 for requesting the key verification includes the key index 836 of the key to be verified and random values which are indicated by the Anonce and Bnonce fields 837 and 838 and used to generate the key. A verification key (VK) used for key verification is given by
[108] VK = PRF (Anonce II Bnonce H K), ...(2)
[109] where Ki indicates the type of a key to be verified (i: (0) AK, (1) BK, (2) SAK).
[110] The key management module of the transmitting end generates the VK after transmitting the key management frame 800 for requesting the key verification and waits for a key management frame 900 in response to the key verification request (see FIG. 9).
[I l l] FIG. 9 illustrates the structure of the key management frame 900 for responding to the key verification request according to an embodiment of the present invention. Referring to FIG. 9, the structure of the key management frame 900 for responding to the key verification request is identical to that of the key management frame 400 of FIG. 4. However, a code field 930 has a value of '5' (see Table 3) indicating the key management frame 900.
[112] The key management frame 900 for responding to the key verification request is transmitted together with a factor that can generate the VK. Therefore, the key management module of the receiving end which receives the key management frame 900 in response to the key verification request generates a key management frame for confirming key verification 1000 (see FIG. 10) and transmits the key management frame for confirming key verification 1000 including a key index field 937 of a key to be verified and a Y field 939 indicating a generated VK. The VK is generated using Equation 2.
[113] FIG. 10 illustrates the structure of the key management frame 1000 for confirming the key verification according to an embodiment of the present invention. Referring to FIG. 10, the structure of the key management frame 1000 for confirming the key verification is identical to that of the key management frame 400 of FIG. 4. However, a code field 1030 has a value of '6' (see Table 3) indicating the key management frame 1000. [114] After exchanging the key management frames 800 and 900 to verify a generated key, an end which requests the verification of the key must transmit the verification result to a receiving end. If the key is updated and then verified, the verification result must be checked. However, if the key is updated without verification, it is not necessary to transmit the key management frame 1000 for confirming the key verification.
[115] After the transmitting end, which transmitted the key management frame 800 for requesting the key verification, receives the key management frame 900 in response to the key verification request from the receiving end, the transmitting end transmits the key management frame 1000 for confirming the key verification to the receiving end. If a verification result value in the key management frame 1000 received by the receiving end indicates that the key has not been verified, the key is not updated.
[116] The key management frames described above are transmitted on the EPON without being encrypted because, due to security characteristics of the PRF, an attacker cannot determine a key within an effective period of time, even when information contained in a key management frame is revealed to an attacker.
[117] FIG. 11 illustrates a procedure transition in a key distribution method according to an embodiment of the present invention. Referring to FIG. 11, the key distribution procedure includes a key update procedure 1100, a key distribution procedure 1110, and a key verification procedure 1120.
[118] When a key update cycle is performed, the key update procedure 1100 generates a key and executes the key distribution procedure 1110 to distribute the generated key. The key distribution procedure 1110 distributes the generated key and executes the key verification procedure 1120 after finishing the key distribution. After verifying the generated key, the key verification procedure 1120 executes the key update procedure 1110. Then, the key update procedure 1100 updates the verified key.
[119] FIG. 12 is a flowchart illustrating a key update method according to an embodiment of the present invention. Referring to FIG. 12, after a key used for encryption is generated and distributed to an OLT and an ONU on the EPON, a key update timer is started (S 1200). When the key update timer stops after a predetermined period of time (S 1205), an end which distributes the key (the OLT or the ONU, hereinafter referred to as a transmitting end) transmits the key management frame 600 for requesting the key update to the other end (the OLT or the ONU, hereinafter referred to as a receiving end) (S 1210).
[120] In response to the key management frame 600 for requesting the key update, the transmitting end receives the key management frame 700 for responding to the key update request from the receiving end (S 1215). Then, the transmitting end generates the key management frame 800 for requesting the key verification and transmits the key management frame 800 for requesting the key verification to the receiving end (S 1220).
[121] In response to the key management frame 800 for requesting the key verification, the transmitting end receives the key management frame 900 for responding to the key verification request from the receiving end (S 1225). Then, the transmitting end examines the key management frame 900 for responding to the key verification request and determines whether the key is successfully verified (S 1230). If the key is successfully verified, the transmitting end transmits the key management frame 1000 for confirming the key verification to the receiving end, and then the key is updated (S1235).
[122] The key management frames described above are exchanged using a MAC frame of the slow protocol.
[123] FIG. 13 is a flowchart illustrating a key update method according to another embodiment of the present invention. While the flowchart of FIG. 12 illustrates a key update method from the perspective of an end which requests a key update, the flowchart of FIG. 13 illustrates a key update method from the perspective of an end receiving a request for a key update.
[124] Referring to FIG. 13, when a receiving end receives the key management frame
600 for requesting the key update (S 1300), it generates the key management frame 700 for responding to the key update request and transmits the key management frame 700 for responding to the key update request to a transmitting end (S 1305). When the receiving end receives the key management frame 800 for requesting the key verification, it generates the key management frame 900 for responding to the key verification request and transmits the key management frame 900 for responding to the key verification request to the transmitting end (S 1315). When the receiving end receives the key management frame 1000 for confirming the key verification, it updates a key (S 1325).
Industrial Applicability
[125] A key distribution method according to the present invention is applied to an
EPON for network security. Thus, a key used by an encryption module can be safely and efficiently distributed using a key management module in each of an OLT and an ONU of the EPON.

Claims

Claims
[1] A method of distributing keys over an Ethernet passive optical network (EPON), the method comprising: exchanging first random values respectively generated by an optical line terminal (OLT) and an optical network unit (ONU) between the OLT and the ONU to generate a unicast secure channel; generating a pairwise master key (PMK) based on the exchanged first random values and a pre-distributed master key using a hash function; exchanging second random values respectively generated by the OLT and the ONU between the OLT and the ONU; and generating a temporary key based on the exchanged second random values, respective media access control (MAC) addresses of the OLT and the ONU, and the PMK using the hash function.
[2] The method of claim 1, wherein the temporary key is used as a verification key for the OLT and the ONU, as an encryption key for broadcast data, as an encryption key for unicast data, and as a value for initializing an encryption module algorithm.
[3] The method of claim 1, wherein the OLT and the ONU exchange the first random values and the second random values with each other using a MAC frame of a slow protocol.
[4] The method of claim 1, further comprising updating the PMK or the temporary key in predetermined cycles.
[5] The method of claim 4, wherein the updating of the PMK or the temporary key comprises: transmitting from the OLT or the ONU to the OLT or the ONU a frame for requesting a key update which includes a type of a key to be updated and a third random value for updating the key, receiving from the OLT or the ONU a frame for responding to a key update request which includes a fourth random value, and generating a new key; and transmitting to the OLT or the ONU a frame for requesting key verification which includes the type of the key to be updated, the third random value and the fourth random value, and receiving from the OLT or the ONU a frame for responding to a key verification request which includes a verification key generated using the third random value and the fourth random value.
[6] The method of claim 5, further comprising transmitting to the OLT or the ONU a frame for confirming key verification which includes a result of verifying the key using the verification key included in the frame for responding to the key ver- ification request.
[7] The method of claim 1, further comprising exchanging a MAC frame which includes configuration information of an encryption module and a key management module of each of the OLT and the ONU between the OLT and the ONU.
[8] A method of distributing keys on an EPON, the method comprising: delivering a first random value generated by an OLT to an ONU to generate a broadcast secure channel; generating a PMK based on the delivered first random value and a pre- distributed master key using a hash function; transmitting a second random value generated by the OLT to the ONU; and generating a temporary key based on the delivered second random value, MAC addresses of the OLT and the ONU, and the PMK using the hash function.
[9] The method of claim 8, wherein the temporary key is used as a verification key for the OLT and the ONU, as an encryption key for broadcast data, as an encryption key for unicast data, and as a value for initializing an encryption module algorithm.
[10] The method of claim 8, further comprising updating the PMK or the temporary key in predetermined cycles.
[11] The method of claim 10, wherein the updating of the PMK or the temporary key comprises: transmitting a frame for requesting a key update which includes a type of a key to be updated and a third random value for updating the key, receiving from the OLT or the ONU a frame for responding to a key update request which includes a fourth random value, and generating a new key; and transmitting to the OLT or the ONU a frame for requesting key verification which includes the type of the key to be updated, the third random value, and the fourth random value, and receiving from the OLT or the ONU a frame for responding to a key verification request which includes a verification key generated using the third random value and the fourth random value.
[12] The method of claim 11, further comprising transmitting to the OLT or ONU a key for confirming key verification which includes a result of verifying the key using the verification key included in the frame for responding to the key verification request.
[13] The method of claim 8, further comprising exchanging a MAC frame which includes configuration information of an encryption module and a key management module of each of the OLT and the ONU between the OLT and the ONU.
PCT/KR2005/004168 2004-12-07 2005-12-07 Method of distributing keys over epon WO2006062345A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2005800419669A CN101073221B (en) 2004-12-07 2005-12-07 Method of distributing keys over EPON

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR1020040102394A KR20060063271A (en) 2004-12-07 2004-12-07 The key distribution technique of link security on epon
KR10-2004-0102394 2004-12-07
KR1020050103791A KR100809393B1 (en) 2005-11-01 2005-11-01 Key distribution method on EPON
KR10-2005-0103791 2005-11-01

Publications (1)

Publication Number Publication Date
WO2006062345A1 true WO2006062345A1 (en) 2006-06-15

Family

ID=36578131

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2005/004168 WO2006062345A1 (en) 2004-12-07 2005-12-07 Method of distributing keys over epon

Country Status (1)

Country Link
WO (1) WO2006062345A1 (en)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
DE102007023206A1 (en) * 2006-11-18 2008-05-21 Dica Technologies Gmbh Key generating and managing method for e.g. Internet protocol network, involves forming connections keys for duration of encrypted connection of data processing systems e.g. computer, as functions of identical main keys and of parameters
US7730305B2 (en) * 2004-12-10 2010-06-01 Electronics And Telecommunications Research Instutute Authentication method for link protection in Ethernet passive optical network
WO2011075880A1 (en) * 2009-12-21 2011-06-30 西安西电捷通无线网络通信股份有限公司 Handshake protocol method suitable for ultra wideband network
US20210203647A1 (en) * 2012-03-30 2021-07-01 Nec Corporation Core network, user equipment, and communication control method for device to device communication

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020120758A1 (en) * 2001-02-23 2002-08-29 Glory Telecommunications C0., Ltd. IP packetized frame format in a passive optical network
US20020150097A1 (en) * 2001-02-21 2002-10-17 Wei Yen Method and apparatus for secured multicasting

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020150097A1 (en) * 2001-02-21 2002-10-17 Wei Yen Method and apparatus for secured multicasting
US20020120758A1 (en) * 2001-02-23 2002-08-29 Glory Telecommunications C0., Ltd. IP packetized frame format in a passive optical network

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7730305B2 (en) * 2004-12-10 2010-06-01 Electronics And Telecommunications Research Instutute Authentication method for link protection in Ethernet passive optical network
DE102007023206A1 (en) * 2006-11-18 2008-05-21 Dica Technologies Gmbh Key generating and managing method for e.g. Internet protocol network, involves forming connections keys for duration of encrypted connection of data processing systems e.g. computer, as functions of identical main keys and of parameters
DE102007023206B4 (en) * 2006-11-18 2008-10-09 Dica Technologies Gmbh Method and device for the secure generation and management of keys and their use in networks for the secure transmission of data
WO2011075880A1 (en) * 2009-12-21 2011-06-30 西安西电捷通无线网络通信股份有限公司 Handshake protocol method suitable for ultra wideband network
US20210203647A1 (en) * 2012-03-30 2021-07-01 Nec Corporation Core network, user equipment, and communication control method for device to device communication

Similar Documents

Publication Publication Date Title
US7730305B2 (en) Authentication method for link protection in Ethernet passive optical network
US8600063B2 (en) Key distribution system
JP5366108B2 (en) Passive optical network security enhancement based on optical network terminator management control interface
US7813510B2 (en) Key management for group communications
EP1169833B1 (en) Key management between a cable telephony adapter and associated signaling controller
US8948401B2 (en) Method for filtering of abnormal ONT with same serial number in a GPON system
CN108683501B (en) Multiple identity authentication system and method with timestamp as random number based on quantum communication network
US11838409B2 (en) Method and apparatus for transferring data in a publish-subscribe system
CN101073221B (en) Method of distributing keys over EPON
US20020199102A1 (en) Method and apparatus for establishing a shared cryptographic key between energy-limited nodes in a network
CN111080299A (en) Anti-repudiation method for transaction information, client and server
EP2439871B1 (en) Method and device for encrypting multicast service in passive optical network system
US20090232313A1 (en) Method and Device for Controlling Security Channel in Epon
US20070055870A1 (en) Process for secure communication over a wireless network, related network and computer program product
WO2006062345A1 (en) Method of distributing keys over epon
JP5102701B2 (en) Secret key distribution method and secret key distribution system
KR100594023B1 (en) Method of encryption for gigabit ethernet passive optical network
CN111245613A (en) Identity-based three-level key negotiation method for in-vehicle and out-vehicle networks
KR20140004703A (en) Controlled security domains
KR100809393B1 (en) Key distribution method on EPON
Eun et al. The design of key security in ethernet pon
WO2007066951A1 (en) Method and device for controlling security channel in epon
KR20220049038A (en) Symmetric key generation, authentication and communication between multiple entities in the network

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BW BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE EG ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KM KN KP KZ LC LK LR LS LT LU LV LY MA MD MG MK MN MW MX MZ NA NG NI NO NZ OM PG PH PL PT RO RU SC SD SE SG SK SL SM SY TJ TM TN TR TT TZ UA UG US UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): BW GH GM KE LS MW MZ NA SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IS IT LT LU LV MC NL PL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 200580041966.9

Country of ref document: CN

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 05821302

Country of ref document: EP

Kind code of ref document: A1