AU2021104109B4 - Encryption signalling network and authentication-link - Google Patents

Encryption signalling network and authentication-link Download PDF

Info

Publication number
AU2021104109B4
AU2021104109B4 AU2021104109A AU2021104109A AU2021104109B4 AU 2021104109 B4 AU2021104109 B4 AU 2021104109B4 AU 2021104109 A AU2021104109 A AU 2021104109A AU 2021104109 A AU2021104109 A AU 2021104109A AU 2021104109 B4 AU2021104109 B4 AU 2021104109B4
Authority
AU
Australia
Prior art keywords
esn
encryption
esc
channel
sub
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
AU2021104109A
Other versions
AU2021104109A4 (en
Inventor
Yuxin ZOU
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to AU2021104109A priority Critical patent/AU2021104109B4/en
Application granted granted Critical
Publication of AU2021104109A4 publication Critical patent/AU2021104109A4/en
Publication of AU2021104109B4 publication Critical patent/AU2021104109B4/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/64Routing or path finding of packets in data switching networks using an overlay routing layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/061Network architectures or network communication protocols for network security for supporting key management in a packet data network for key exchange, e.g. in peer-to-peer networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • H04L63/062Network architectures or network communication protocols for network security for supporting key management in a packet data network for key distribution, e.g. centrally by trusted party
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/20Network architectures or network communication protocols for network security for managing network security; network security policies in general
    • H04L63/205Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/10Architectures or entities
    • H04L65/1013Network architectures, gateways, control or user entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/16Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
    • H04J3/1605Fixed allocated frame structures
    • H04J3/1611Synchronous digital hierarchy [SDH] or SONET
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L45/00Routing or path finding of packets in data switching networks
    • H04L45/50Routing or path finding of packets in data switching networks using label swapping, e.g. multi-protocol label switch [MPLS]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0823Network architectures or network communication protocols for network security for authentication of entities using certificates

Abstract

This application provides an Encryption Signalling Network (ESN). Using ESN, the encryption signalling information required by the data encryption services is transmitted via ESN, the encrypted client data are transmitted in current typical data networks. The ESN provides an Encryption Signalling Channel (ESC) for each data encryption service. Each ESC is a dedicated secure channel for encryption signalling information such as the encryption keys, certifications, algorithm selection, and other parameters about the authentication and encryption. Each ESC has multiple sub-channels, each channel has a different physical path. Every ESC and every sub-channel has its own authentication method. By using the ESC over the ESN network, the security of the encryption signalling information are significantly enhanced.

Description

ENCRYPTION SIGNALLING NETWORK AND AUTHENTICATION-LINK
1 TECHNICAL FIELD
The present application relates to a network for encryption signalling, which transmits encryption signalling information required by data encryption services. The network provides a network-level, dedicated secure channel for communication networks to enhance the security of the encryption signalling required by the data encryption service.
2 BACKGROUND
Among the current network encryption technologies, Internet Protocol Security (IPSEC) has become a mainstream authentication and encryption technology. No matter the early IPSEC VPN technology or the current Software Defined Network (SDN) and SD-WAN technology, they all use IPSEC as the foundation for authentication and encryption. In the IPSEC technology, the symmetric encryption method is used for the encryption of client traffic, the asymmetric encryption method is normally used for the encryption of key exchange. Before the network element (NE) at both end of the encryption service starts to send the encrypted client traffic, both ends need to communicate with each other regarding the negotiation of encryption method, algorithm, parameters, and key exchange, so that a secure channel can be built for the client traffic. Such communication controlling and information exchange for the setup of a secure channel are considered as encryption signalling.
In IPSEC technology, the encryption signalling data share the same network link, same data channel (or service path) and same network with the encrypted data. Once the data channel is intruded and monitored by hackers, the possibility of the encryption method being cracked will greatly increase. In order to achieve fast data encryption and decryption, the length of the symmetric key is often relatively small, and the key is often kept for a long time before any change. With the rapid development of computer's processing capability, the ability to crack fixed-length symmetric encryption will become stronger and stronger. If the length of the password is not gradually increased, the security of the traditional IPSEC encryption method will gradually decline.
In addition, even if the highest level of certificate authentication and encryption is used in IPSEC technology, its security and reliability are still completely dependent on the reliability of the certificate issuing organization. Because the certificate has fixed pre-set characteristics, it is a static certificate which will not be changed for a long time after it is issued. Thus once the certificate is stolen, or the organization that issued the certificate loses its credibility, network security services will immediately face serious risks.
In view of the above-mentioned problems of the IPSEC encryption technology, the present application provides a solution to mitigate these security risk.
3 SUMMARY
By using Synchronous Digital Hierarchy (SDH) (ITU-T G,783) network technology as the foundation, the present application constructs an Encryption Signalling Network (ESN) for encryption signalling. In the ESN, Link Capacity Adjustment Scheme (LCAS, ITU-T G.7042) is used to provide fast multi-channel path with stable delay for encryption signalling channels. Each end-to-end Encryption Signalling Channel (ESC) comprises multiple sub-channels and the different sub-channel has different physical path. Each ESC and each sub-channel of that ESC have monitoring function, control function, encryption function and authentication function. Furthermore, since the ESN provides a secure, stable bandwidth and dedicated channel for the encryption signalling, the traditional static key encryption method can be improved to the dynamic key encryption method, the encryption key can be changed frequently and regularly, the encryption key can even become a key stream instead of a fixed static key.
The present application also establishes Network Neighbour Authentication Links (NNALs) between network elements (NEs). The NNALs have the function of monitoring the information comprises latency, clock signal, jitter and drift characteristics, bit-error characteristics, encoding methods, modulation methods and other factors, which enhances the authentication between physical neighbour NEs.
4 BRIEF DESCRIPTION OF THE DRAWINGS
Figure 1: Common Channel Encryption Signalling Mode(CCESM) VS In-Band Encryption Signalling Mode(IBESM)
Figure 2: Diagram of Common Channel Encryption Signalling Network
Figure 3: Diagram of Encryption Signalling Channel
Figure 4: Diagram of Network Encryption Link
DETAILED DESCRIPTION OF THE PRESENT INVENTION
In the current network encryption method, the encrypted data and the encryption signalling data such as the certificate, key, and negotiation used for encryption share the same data network, or data link, and even share the same service path. Once the data channel is monitored and/or intruded, the encryption key and the encrypted data are facing the risk of leakage at the same time. In the present application, such encryption method is referred as In-Band Encryption Signalling Mode (IBESM).
Embodiments of the present application provide an Encryption Signalling Network (ESN). The network only transmits the encryption signalling information required for authentication and encryption, such as certificates, various keys, the negotiation of encryption methods, algorithm, and parameters, etc. Encryption signalling information exchanges are all carried out through the encryption signalling channel (ESC) in the ESN. In this encryption signalling transmission method, the network, data link, and transmission path for transmitting encryption signalling are completely independent of the ones for the encrypted data. In the present application, the transmission mode of encryption signalling is referred as Common Channel Encryption Signalling Mode (CCESM), then the ESN for this encryption signalling is referred as Common Channel Encryption Signalling Network (CCESN). Figure 1 illustrates the difference between the CCESM and the IBESM.
Through the effective design and use of the ESN, the ESN can greatly mitigate the risk of current traditional IBESM. The present application provides an ESN based on the traditional Synchronous Digital Hierarchy (SDH) technology and provides improved encryption and authentication means. Figures 2 and 3 illustrate the embodiments of an ESN.
This application also provides one or more Network Neighbour Authentication Links (NNALs), which are physical links dedicated to enhance the mutual authentication between neighbour NEs. Each NNAL is completely independent of the other common physical data link which is used for transmitting customer data traffic between neighbour NEs. Figure 4 illustrates the embodiments of NNAL.
The following embodiments provide the detailed implementation of the present invention.
5.1 Encryption Signalling Network
In the traditional SDH network, because the entire network uses a unified clock and strict time division multiplexing (TDM), the channel delay between SDH NEs is stable when the network is stable, this feature is different from the delay in the data network where delay is influenced by more factors like traffic congestion, process ability, queuing policy etc.
Link Capacity Adjustment Scheme (LCAS) is one of the SDH protocols. It is used by SDH network for transmitting Ethernet data. Taking the transmission of a 10Mbps Ethernet data between SDH NE A and SDH NE B as an example, NE A can use LCAS technology to divide the 10Mbps user data into five 2Mbps data streams, each 2Mbps data stream is transmitted via a Virtual Container (VC-12), which is a sub-channel of the ESC. At the NE B end, the same LCAS technology can be used to re-integrate multiple data streams from five sub-channels back into a 10 Mbps Ethernet data stream then send the data to router B. By using LCAS technology, these 5 sub-channels can be relatively independent, and each sub-channel can choose a different physical route from other ones. This LCAS function is utilized by the present application to create Encryption Signalling Channel (ESC). Above the standard LCAS, monitoring and control function are added onto the ESC and onto each sub-channels of the ESC. Encryption and authentication function are also added onto the both end of ESC and onto each sub-channel.
Using the SDH and LCAS as the foundation, the ESN provides an end-to-end ESC for the data network. At one site, the ESN-NE co-exist with the common data network equipment (such as a router). Each router has one or more data interfaces interconnected with the local ESN-NE, these interfaces are used for communication between the router and the local ESN NE device to transfer encryption signalling data. When data encryption services are required between two routers, the two routers send channel request to the location local ESN-NE at first, the two ESN-NE then establish a secure Encryption Signalling Channel (ESC) via the ESN and send notification to local data equipment. The data equipment then exchange all the encryption signalling data through the ESC over ESN. After the encryption negotiation is completed, the encrypted data is transmitted through the normal data network. When the data equipment do not need the ESC any longer, the data equipment send release request to its local ESC-NE, the two ESC-NEs then release the ESC between them. The following sections give a further detailed explanation to the solution above.
5.2 Multi-Path ESC
When an encrypted data services is required between router A and router B, router A and router B establish an end-to-end ESC through ESN, the ESC has a fixed bandwidth and has multiple sub-channels. Using a 10Mbps ESC as an example, the ESN-NE A and ESN-NE B establish a 5X VC-12 ESC through ESN, each VC-12 is a sub-channel with 2Mbps bandwidth capacity, each VC-12 (sub channel) has a different physical path in the ESN. Even if one or four sub-channels are intruded and monitored by hacker, the hacker is still not able to collect all the encryption signalling data. In contrast, in the traditional encryption signalling method, once the network link is intruded and monitored, all encryption signalling information and encrypted data will be completely collected by the interceptor, and then be analysed and cracked. By using the ESN and the ESC, only if all five sub-channels are intruded by hacker, can the intruder be able to collect all the encryption signalling data. Since the five sub-channels use different physical paths, the intruder must be able to simultaneously intrude and monitor on the five physical paths. Such ESC greatly increases the difficulty to hacker, thereby greatly enhancing the security of encryption signalling data.
After the key exchange and encryption authentication negotiation process is completed through the encrypted network, the encrypted data is transmitted through the data network. From the perspective of the transmission network, transmission channel, and transmission path, the encrypted negotiation data and the encrypted data are completely independent delivery. Figure 3 illustrate the embodiments of the ESC.
In the 10Mbps ESC example above, ESN-NE A and ESN-NE B can also arbitrarily and randomly select certain sub-channel for communication or can choose to randomly jump among the 5 sub-channels. After routers A and B complete the encryption signalling interaction through the encrypted channel, the various encryption keys of the two parties are exchanged, negotiated, and determined via the ESC. After that, router A and router B decide to release the ESC, and they also re-establish the encrypted channel periodically or irregularly when they need to update the encryption key and or encryption algorithm and parameters. For important encryption services, the two parties can maintain the ESC between each other for a long time to enjoy a long-term ESC between them. Under such long-term ESC scenario, the encryption key can become not only a fixed key, but also a sequence of keys or a key stream, which keep changing continuously, and the change cycle can be every minute or even every ten of second, which greatly enhances the security of encrypted services.
In addition, the ESN-NE A and B have the monitoring, control, encryption functions on the sub-channel. Both A and B periodically sending HELLO and ACK to each other on the sub channels of the ESC and constantly monitor the path-overhead of corresponding VC-12. When a sub-channel is abnormal (such as abnormal channel overhead monitoring, or abnormal hello packet authentication delay), A and B can immediately negotiate with each other to close the suspicious sub-channel, then establish another sub-channel for the ESC. In this network environment, the end-to-end ESC can not only enjoy 5 sub-channels with 5 different physical paths but also be able to add and drop a certain sub-channel when required dynamically and randomly. Beyond that, each sub-channel is an independent encrypted channel, the sub-channel has authentication and encryption function so that all the encryption signalling traffic in that sub-channel are encrypted by the ESN and ESC.
Compared with the common-channel encryption signalling method mentioned above, data link or data channel in the traditional In-Band Encryption Method is shared by both encryption signalling and the encrypted data. Once the data link is hacked, the routers and network management system (NMS) normally has no ability to discover such intrusion from the network security perspective, since both routers and the NMS are not sensitive to the change of the latency. Since the routers and the NMS cannot discover such potential security risk, they have no ability to adjust the service path for a certain encryption data services in time. Once the data link and the service channel are established for an encryption service, the security of encrypted data entirely depends on the proper maintenance of keys and certificates. Once the key or certificate is leaked, the encrypted data is completely exposed to the risk of being decrypted.
Contradictorily, the ESC based on the SDH+LCAS technology has multiple sub-channels with different paths. Moreover, each sub-channel has its own tatus monitoring, control, and encryption function. Once a certain El channel status is abnormal, the ESN-NE at both end of the ESC can immediately close the suspicious sub-channel and establish another sub-channel as needed to continue to maintain the 10Mbps bandwidth. Between ESN-NEs, the ESC control scheme can also change the path of sub-channels periodically, which means not only the ESC has multiple sub-channels with multiple physical paths, but also each sub-channel's physical path is changed periodically or randomly, the encryption key of each sub-channel is changed accordingly. Through regular or random change to the physical path and encryption key of each sub-channel, the security of the ESC is further strengthened, which further strengthening the associated encrypted data services.
The above-mentioned 10Mbps encryption signalling channel is just a specific example. In the SDH network, a 46x2Mbps channel, a 3x45Mbps channel, or even a combination of higher bandwidth can also be implemented to meet the encryption services required by different bandwidths.
5.3 Latency Authentication
For each sub-channel of an ESC, it has its own authentication method. By having the characteristics of the stable latency the in ESN, the authentication of sub-channel is enhanced. For example, the latency of a sub-channel is fixed at 100ps (because it is a Time Division Multiplex circuit), so if A sends a hello probe packet to B, A should receive B's reply packet within the expected delay range. If an intruder wants to play the role of an intermediary between A and B, or pretend to act as A or B, he must meet the delay range or distance range between A and B. Therefore, the physical distance and the associated fixed latency greatly limit the opportunity of the intruders.
In addition, both ends of the ESC use the latencies of different sub-channel to enhance the authentication between each other. Using the 10Mbps ESC example mentioned above, each sub-channel has a different stable latency, so the ESN-NE at both end of the ESC can use multiple stable latency for the authentication between them. ESN-NE A can send HELLO data packets to ESN-NE B via five sub-channels simultaneously, and request ESN-NE B to send Ack message back in the corresponding subchannels. All Ack message should be received within the expected latency. ESN-NE A can also request ESN-NE B to answer what is the current latency of each sub-channel, the ESN-NE B should give the right answers regarding latency on all sub-channels. If the intruder successfully hacked one sub-channel, but because the intruder does not know the latency parameters of the other four sub-channels, so it cannot play the role in the middle of A or B. Furthermore, A and B can make agreement that the HELLO sent on a certain sub-channel must be replied on another designated sub-channel. Since the intruder cannot intrude another sub-channel and does not know the latency of another sub channel, so it cannot play the role in the middle of A and B. When there is an abnormal response or abnormal response latency between A and B, A and B can immediately adjust the channel settings, close the suspicious sub-channel, and establish new sub-channels when needed. By utilizing the latency of multiple sub-channels, the authentication between both end of a certain ESC is significantly enhanced.
5.4 Network Neighbour Authentication Link (NNAL)
In one aspect, embodiments of the present application provide an authentication enhancement method to enhance the authentication between neighbour network element (NE) of a network. The method is to establish a physical link between NEs, the link is dedicated for the authentication of neighbour NEs. In the present application, the name of the link is Network Neighbour Authentication Link (NNAL). The NNAL use SDH technology and use multiple factors to enhance the authentication, incudes latency, link rate, encapsulation format, channel coding, source coding, jitter and drift, modulation method, etc.
5.4.1 Latency Authentication Method The NNAL use stable latency of the SDH link to enhance the authentication between multiple NE of the ESN. For example, ESN-NE A, B and C are neighbours with each other via direct physical link. A, B, and C run authentication protocol based on latency. A send two HELLO data packet to B, and request B send response back via two different paths, one via NNAL A-B, another one via NNAL B-C and NNAL C-A. Because the NNAL use SDH technology, so each NNAL has a stable latency. A should receive two Ack responses from B and each Ack should have an expected latency. If a hacker intruded the NNAL A-B and the hacker's location is very close to the NNAL physically, it may be able to simulate the Ack via NNAL A-B. However, because the hacker does not know the latency of NNAL B-C and the latency of NNAL C-A, the hacker cannot simulate the Ack response to A via NNAL B-C and NNAL C-A within expected latency. Since the hacker is impossible to conquer the physical latency between B and himself., so he cannot pretend to act as B towards A, even the hacker got the certificate or key for the traditional authentication between A and B. Because it is very difficult for the hacker to intrude 3 ESN-NE or 3 NNAL at the same time, so the authentication between A, B and C is enhanced by this latency authentication method.
The example above is a case for the authentication within three NEs, such latency authentication method can also be used for four NEs and more. Based on the latency authentication via NNAL, the NE can discover the suspicious NE, and update the certification or authentication key where required.
5.4.2 Link Rate and Frame Format Method For Authentication The NNAL use link rate and frame format to enhance the authentication between n NEs. For example, the NNAL A-B use 155Mbps (STMI) frame format, A and B can change the frame format regularly and irregularly according to the agreement, the frame can be lxVC4, 3xVC3, 63xVC12, 2xVC3 +21xVC2 and any other possible combinations. In terms of link rate, A and B can change the bit rate of NNAL from STM(155Mbps) to STM4 (622Mbps) different rates regularly or irregularly as agreed. In addition, various section overhead protocols of SDH networks, such as regeneration section overhead and multiplex section overhead, can also be used to strengthen authentication. If the hacker wants to pretend as B towards A, it must not only intrude the NNAL A-B, but also know the adjust rule or protocol regarding the change of link rate and frame format.
5.4.3 Clock And Clock Signalling Method For Authentication The NNAL use the clock signal and clock signalling protocol to enhance the authentication. In the SDH technology, clock signals are used by NEs for keeping the synchronization of whole SDH network, the quality of clock signal is categorized as Primary Reference Clock (PRC), Synchronization Supply Unit A (SSU-A), Synchronization Supply Unit B (SSU-B) and SDH Equipment Clock (SEC). All SDH NE Synchronization Status Message (SSM) to advise its downstream NE what quality of clock it is sending out; the whole network has a unified clock signalling policy or strategy for the control of synchronization. The NNAL can use clock and clock signalling protocol of SDH technology to strengthening the authentication between neighbours. For example, A, B and C have NNAL links between each other. A send a special clock signal to C, the clock signal has special characters from clocking perspective, A then request C to forward the clock signal to B. A then request B to forward the clock from C back to A. When A received the clock, A know the signal is same as the one A send out, and there is a clock loop happen. B and C can do the same thing as A did to confirm with each other. Through the cooperation between A, B and C, they can confirm the authentication from clock and clock signalling perspective. If the hacker intruded into NNAL A-B and want to pretend as B towards A, the hacker needs to not only recognize and generate the relevant clock signal, but also need to know the clock signalling protocol between A, B and C. Although in the usual SDH network, the clock control is used only for the control of synchronization and to avoid clock loop, but in NNAL based on SDH technology, both clock signalling and the clock loop can be used to enhance the authentication between NEs.
5.4.4 Pseudo-Random Sequence Method and Jitter and Drift Method For Authentication The NNAL can also use pseudo-random sequence, jitter, and drift to enhance the authentication of NE neighbour. The equipment at both end of NNAL have an agreed rule regarding the signal generation, signal recognition and signal response. For example, A and B is NNAL neighbour, A can generate a pseudo-random sequence signal and send to B. When B receive the pseudo-random sequence signal, B will transfer it to another different pseudo random sequence signal using an algorithm agreed with A. B send the new pseudo-random sequence signal back to A, A then verify the received pseudo-random sequence signal use the same algorithm. If A can receive the expected pseudo-random sequence signal from B, then the authentication is confirmed via pseudo-random sequence signal method.
Similarly, A and B can also use jitter and drift to enhance the authentication on NNAL. Both A and B have ability to a signal with certain jitter and drift characters, both A and B can recognize the characters of these jitter and drift. A send a signal with certain positive jitter and drift characters to B, B receives the signal then turn it to certain negative jitter and drift characters and sends back to A. When A receives the response signal, it verifies the jitter and drift characters and the response latency. If the received signal is correct and the response from B is received within expected latency, then the authentication is confirmed.
If the hacker wants to pretend as B towards A, he need not only the ability to intrude the NNAL, but also the ability to generate and process pseudo-random sequence, and the ability to accurately create and recognize certain jitter and drift of a signal. The hacker also needs to know the agreement between A and B regarding the pseudo-random sequence, jitter, and drift. Such requirements significantly increase the difficulty to the hacker, so the authentication is largely enhanced. Although jitter and drift are what common network want to avoid, but on NNAL, it can be used for authentication.
5.4.5 Channel Error Correction Coding Method and Modulation Method For Authentication The NNAL can utilize the channel error correction coding for authentication. The equipment at both end of NNAL have an agreed rule regarding the channel bit-error generation, channel error correction coding method and the bit-error response. For example, A and B send agreed pseudo-random sequence signal between each other. A generate a certain bit-error on the signal to B, B should be able to recognize the bit-error and response a correct signal by using the channel error correction coding. Additionally, B also need to create another bit-error with certain error characters and send to A within certain latency, the error characters is generated based on the agreement between A and B. NNAL use SDH format for the signal between A and B, the error characters can be a bit-error on a certain bit of an agreed byte in the SDH frame, or certain quantity of bit-errors on certain multiple bits of certain multiple bytes. If the hacker plans to hack the NNAL between A and B, he needs to not only recognize the bit-error from the pseudo-random sequence signal, but also correct it and send back certain bit-error characters based on the agreed rule. The hacker also needs to conquer the latency limitation. Although bit-error is what common networks try to avoid as much as it can, but here NNAL can use it for authentication.
Similarly, NNAL can use modulation method for authentication. The NE at both end of NNAL have an agreement regarding the selection, change and control of modulation method. Both NE can change the modulation method between them regularly or randomly by agreement and negotiation. The modulation method type can be RZ, NRZ, DPSK, QPSK, QAM-4, QAM 8, QAM-16, QAM-64, etc. If the hacker wants to hack the NNAL link, he needs to not only can recognize and generate different signal by different modulation, but also need to know the agreement between A and B regarding modulation. The hacker also needs to response the modulation change within certain latency.
5.4.6 Network Level Authentication Method For Authentication In the above sections, the authentication happened between both end of NNAL only. In a network environment, the authentication methods mentioned above also can be used at network level. For example, NE-A has four neighbours in the network and four NNALs towards each neighbour. The Network Management System (NMS) can request all A's neighbour to send authentication request to A at the same time, each neighbour use a different type of authentication method. NE-A need to response all these authentication request correctly and timely within expected latency. All these A's neighbour then report to NMS regarding the result of authentication. If all response from A is correct, then A is authenticated from network level. If one hacker wants to pretend as A, he needs to not only can response different types of authentication requests in different direction, but also response within different latency. Such limitation greatly increases the complexity and difficulty to the hacker, the authentication is largely enhanced.
5.5 Summary The information security based on the traditional In-Band Encryption Signalling depends on the complexity of the encryption algorithm, or the difficulty of achieving the decryption ability, such as the CPU capacity and memory size. Since the packet-switching network cannot guarantee the stable delay of an end-to-end service, from a security perspective, it is difficult for the packet-switching network to use stable delay parameters to strengthen authentication and encryption. Since there is no dedicated ESN, once the traditional encryption signalling method has completed the negotiation of the encryption method, the key (or certificate) becomes a fixed key for a certain long stage, unless the maintenance personnel manually change the key setting or certificate setting. The In-Band Encryption Signalling can not achieve real-time dynamic key transformation. Once the encrypted data is intercepted, the network and encrypted services are completely passively at risk of being cracked.
In an ESN environment as described above, the ESC comprises multiple sub-channels with multiple different physical paths, each sub-channel has its own monitoring, authentication, and encryption functions, so that greatly strengthen the security and reliability of the ESC. While maintaining the traditional In-Band Signalling, building an ESN based on SDH network technology can greatly improve the security of the communication network and the security of the data services on the network.
On the other hand, traditional In-Band Authentication method between NE neighbours is completely based on data packet processing level. Once the encryption method of network management is cracked, the intruder can easily invade the network and then pretend as one of legal NE in the network. In contrast, the establishment of NNALs between neighbour NEs can introduce many new authentication methods between neighbours. The authentication can enter the frame level by using link rate and frame format method, it can enter the bit level by using the channel coding mode method, it can further enter the digital signal quality level by using jitter and drift method. Finally, it can enter analogue level by using different modulation method. Beyond that, the authentication can be completed not only between both end of a NNAL at link level, but also among multiple NEs at network level. By using the NNAL and the multiple authentication methods as provided in the present application, the reliability of authentication between physical neighbour NEs can be greatly improved.
The present invention has been described in relation to particular embodiments, which are intended in all respects to be illustrative rather than restrictive. Alternative embodiments will become apparent to those of ordinary skill in the art to which the present invention pertains without departing from its scope.
Throughout this specification and the claims which follow, unless the context requires otherwise, the word "comprise", and variations such as "comprises" and "comprising", are intended to be equivalent in meaning and be open ended in that an item or items following any one of these words is not meant to be an exhaustive listing of such item or items, or meant to be limited to only the listed item or items.

Claims (5)

  1. Claims: 1. An Encryption Signalling Network (ESN) providing dedicated secure channels for encryption signalling of communication networks, wherein the encryption signalling comprises information about authentication process, exchange of keys and certificate, negotiation of algorithm, encryption mode, and parameters that used for common data encryption; wherein the encryption signalling are transmitted in the ESN which is separated from a network that transmits encrypted data; the ESN comprises:
    (a) multiple ESN Network Elements (ESN-NEs), wherein the ESN-NEs are connected with each other via physical SDH Links; (b) one or more ESN-Client Interfaces, which are dedicated interfaces for the communication between ESN-NE and local data equipment; wherein the local data equipment send channel request information to one or more ESN-NEs via the one or more interfaces, the one or more ESN-NEs send responses to local data equipment via the one or more interfaces; (c) one or more Encryption Signalling Channels (ESCs), wherein each ESC is an end-to-end SDH circuit with multiple virtual concatenated containers, each container has a separate physical path; wherein each ESC is created using LCAS protocol between two ESN-NEs, each container within an ESC is a sub-channel of the ESC, and different sub-channel of one ESC goes through different physical path in the ESN network; wherein the ESN-NEs receive Encryption Signalling Channel (ESC) requests from local data equipment, then establish an end-to-end ESC with remote ESN-NEs; wherein the end-to-end ESC is used by two local data equipment to send encryption signalling; (d) ESC Authentication, which is an end-to-end authentication at both ends of an ESC to enhance the security of ESN at ESC level; wherein each ESC includes encryption/decryption operations at both ends of an ESC; (e) Sub-channel Authentication, which is an end-to-end authentication at both ends of a sub channel of the ESC to enhance the security of ESN at sub-channel level; wherein each sub channel includes encryption/decryption operations at both ends of the sub-channel; wherein the one or more ESN-NEs monitor statuses of each ESC and each sub-channel of ESC for security purpose; when the status of a sub-channel becomes abnormal, the ESN-NEs at both ends of this sub-channel release this sub-channel and recreate another sub-channel through another physical path for the related ESC.
  2. 2. The ESN network according to claim 1, wherein the local data equipment comprises routers, and the local data equipment send encryption signalling information into the ESN via the one or more ESN-Client interfaces.
  3. 3. The ESN network according to claim 1, wherein the ESC Authentication uses traditional authentication methods or utilizes the latencies of multiple sub-channels; the Sub-channel Authentication of each sub-channel uses traditional authentication methods or utilizes the latency which is different from the latencies of other sub-channels.
  4. 4. The ESN network according to claim 1, the ESN network transfers traditional static key, dynamic key and/or a key stream.
  5. 5. A non-transitory computer-readable medium having instructions stored thereon that are executable to cause a network system to carry out the functions according to claim 1.
    0 0
    Z VIZ ZL
    -I -- - ----- --- - --- Z Xf oU t~I LUJ
    0 0 00L
    z D z
    I
    z CI 0 oo Z UJ ZVI
    z U u
    z -z 000 Cq (v -vu~
    0½ LC
    -- ot <
    ui-x co
    Vd)
    u
    LU LU LU z
    z V)
    ZI Z ME 0
    uzjZ U <
    ZZUJ
    Z Z Zn- u. z z LU 0 U
    LU
    - <
    zz <2 0
    0) co zU z
    -o CLN
    CLF
    S LU U
    QU t~ :E
    00 > u
    zz -- U)
    mm
    Mm
    u z z Lz U)L
    0
    0M bD
    .00 C0 a) C
    <~~ -rIL0.E .e2?
    bO uo Iou D - 0'0U zU
    -J
    0 z
    < M. 0 Di o 0. z uJi '-I 0
AU2021104109A 2021-07-13 2021-07-13 Encryption signalling network and authentication-link Active AU2021104109B4 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
AU2021104109A AU2021104109B4 (en) 2021-07-13 2021-07-13 Encryption signalling network and authentication-link

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
AU2021104109A AU2021104109B4 (en) 2021-07-13 2021-07-13 Encryption signalling network and authentication-link

Publications (2)

Publication Number Publication Date
AU2021104109A4 AU2021104109A4 (en) 2021-08-26
AU2021104109B4 true AU2021104109B4 (en) 2022-01-27

Family

ID=77369611

Family Applications (1)

Application Number Title Priority Date Filing Date
AU2021104109A Active AU2021104109B4 (en) 2021-07-13 2021-07-13 Encryption signalling network and authentication-link

Country Status (1)

Country Link
AU (1) AU2021104109B4 (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187483B1 (en) * 2000-09-07 2010-03-03 Eastman Kodak Company An encryption apparatus and method for synchronizing multiple encryption keys with a data stream
WO2011028265A2 (en) * 2009-09-04 2011-03-10 Mrv Communications, Inc. Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities
CN103138918A (en) * 2011-11-28 2013-06-05 中兴通讯股份有限公司 Method, device and system of avoiding gigabit passive optical network (GPON) system encryption enabling instant packet loss
CN110035335A (en) * 2019-03-29 2019-07-19 国家电网有限公司 A method of for creating the debugging of substation's telecontrol information

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP1187483B1 (en) * 2000-09-07 2010-03-03 Eastman Kodak Company An encryption apparatus and method for synchronizing multiple encryption keys with a data stream
WO2011028265A2 (en) * 2009-09-04 2011-03-10 Mrv Communications, Inc. Dynamically switchable, encryption-adaptable and monitored, high speed, high capacity networks, methods, modules and systems, utilizing multiple and variable path transmission and breach detection capabilities
CN103138918A (en) * 2011-11-28 2013-06-05 中兴通讯股份有限公司 Method, device and system of avoiding gigabit passive optical network (GPON) system encryption enabling instant packet loss
CN110035335A (en) * 2019-03-29 2019-07-19 国家电网有限公司 A method of for creating the debugging of substation's telecontrol information

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
TELECOMMUNICATION ENGINEERING CENTRE , "GENERIC REQUIREMENTS FOR STM-64 SYNCHRONOUS MULTIPLEXER FOR TM, ADM & M-ADM APPLICATIONS FOR METRO NETWORKS", TRANSMISSION ISSUE, GENERIC REQUIREMENTS GR No.: TEC/GR/TX/SDH-007/02, JANUARY 2011. *

Also Published As

Publication number Publication date
AU2021104109A4 (en) 2021-08-26

Similar Documents

Publication Publication Date Title
Tysowski et al. The engineering of a scalable multi-site communications system utilizing quantum key distribution (QKD)
KR100523357B1 (en) Key management device and method for providing security service in epon
US8897448B2 (en) Controlling session keys through in-band signaling
JP2018170766A (en) Adaptive traffic encryption for optical network
KR100594153B1 (en) Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology
US7120792B1 (en) System and method for secure communication of routing messages
US20100042841A1 (en) Updating and Distributing Encryption Keys
TW201633742A (en) Quantum key distribution system, method and apparatus based on trusted relay
CN102037663A (en) Method and apparatus for data privacy in passive optical networks
US9948621B2 (en) Policy based cryptographic key distribution for network group encryption
KR20120105507A (en) Method and system for establishing secure connection between user terminals
CN110855438B (en) Quantum key distribution method and system based on annular QKD network
WO2013104987A1 (en) Method for authenticating identity of onu in gpon network
KR20210032094A (en) Method, apparatus and system for quantum cryptography key distribution
AU2021104109B4 (en) Encryption signalling network and authentication-link
WO2018098630A1 (en) X2 service transmission method, and network apparatus
CN102469063A (en) Routing protocol security alliance management method, device and system
KR20030088643A (en) Method of encryption for gigabit ethernet passive optical network
Hohendorf et al. Secure End-to-End Transport Over SCTP.
EP3054645B1 (en) Apparatuses, system, methods and computer programs suitable for transmitting or receiving encrypted output data packets in an optical data transmission network
CN111935181B (en) Method for realizing uninterrupted service of key switching under full-secret condition
Fu et al. ISCP: Design and implementation of an inter-domain Security Management Agent (SMA) coordination protocol
EP3082207A1 (en) Method for transmitting a teleprotection command using sequence number
CN116866090B (en) Network security management system and network security management method of industrial control network
KR100938603B1 (en) Method for extention of LMP for network survivability in a OVPN over DWDM

Legal Events

Date Code Title Description
FGI Letters patent sealed or granted (innovation patent)
FF Certified innovation patent