CN101183934A - Cipher key updating method in passive optical network - Google Patents
Cipher key updating method in passive optical network Download PDFInfo
- Publication number
- CN101183934A CN101183934A CNA2007101815669A CN200710181566A CN101183934A CN 101183934 A CN101183934 A CN 101183934A CN A2007101815669 A CNA2007101815669 A CN A2007101815669A CN 200710181566 A CN200710181566 A CN 200710181566A CN 101183934 A CN101183934 A CN 101183934A
- Authority
- CN
- China
- Prior art keywords
- key
- index
- onu
- olt
- indexes
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Abstract
The invention discloses a key updating method in the passive light network, belonging to the key updating techniques, which aims at solving the problem of that the key updating in prior passive light network may lead to inconsistence of the ONU key and the OLT key. The invention adopts the technical proposal that: A. new keys are generated after optical network unit ONU receiving the key request sent by the optical line terminal OLT, and the indexes are distributed for the new keys; then the new keys and the indexes are buffered; the new keys and the indexes are sent to the OLT; B. ONU analyzes the indexes of the encrypted data key after receiving the packet on the OLT end, identifies whether indexes of the encrypted data key is the same with the current key indexes, searches the key with the same indexes with the analyzed indexes in the buffered new keys and replaces the current key and the indexes with the searched new key and the indexes when the indexes of the encrypted data key is different from the current key indexes. The invention has the advantages that the reliability of the OLT and the ONU data interaction is fully guaranteed and the realization simple.
Description
Technical field
The present invention relates to the key updating technology, relate in particular to key updating method in a kind of EPON.
Background technology
EPON (PON, Passive Optical Network) be a kind of broadband passive light access technology, put the optical fiber access technology of multiple spot, it is by the optical line terminal (OLT that is installed on console for centralized control, OpticalLine Terminal), a collection of supporting optical network unit (ONU that is installed on customer site, Optical NetworkUnit) and Optical Distribution Network (ODN, Optical Distribution Network) form.ODN is generally and a little arrives multipoint configuration, and an OLT connects a plurality of ONU.ODN between OLT and ONU has comprised optical fiber and passive devices such as passive optical splitters or coupler, does not contain any active equipment.PON makes things convenient for advantages such as smooth upgrade because to have relative cost in optical fiber connecting method low, becomes the direction of following Access Network broadband development.
PON has various ways, as APON (ATM Passive Optical Network, ATM Passive Optical Network (ATM, asynchronous transfer mode)), BPON (Broadband Passive Optical Network, broadband passive optical network), EPON (Ethernet Passive Optical Network, Ethernet passive optical network), GPON (Gigabit Passive Optical Network, gigabit passive optical network) etc., but its essential structure basic difference is little.Transmit in the data procedures, descending employing broadcast mode, by the OLT of local side will be descending light signal through optical branching device, demultiplexing is to each ONU, and up reverse synthesizing an optical fiber multitask by optical coupler of signal of each ONU sends OLT to.
Below be key updating mode between example explanation ONU and the OLT with GPON at present commonly used.
In the PON system, downlink data has natural broadcast characteristic, and all ONU that the data that OLT sends can be connected down receive.Consider fail safe, G.984.3, the ITU-T of International Telecommunications Union advises using Advanced Encryption Standard (AES in the GPON system, Advanced Encryption Standard) technology is encrypted downlink data, OLT adopts key to encrypt to downlink data, and ONU is decrypted the data from OLT with key.
OLT and ONU preserve a key separately and finish key management jointly, and the key management flow process between OLT and the ONU can be divided into two stages: cipher key change and key switch.
In cipher key exchange phase, OLT sends Key_Request message to ONU, ONU produces new key and is saved in the shadow_key_register register, then new key is sent to OLT by Encryption_Key message, OLT is saved in key in the shadow_key_register register of oneself.
In the key switch step, OLT selects a Frame to be sent to use first frame of new key to start with, and OLT numbers to ONU by the multi-frame that Key_Switching_Time message is carried the key switch frame.Key_Switching_Time message will send three times, and ONU only need receive the multi-frame numbering that one of them correct copy is known the key switch frame.ONU receives that whenever the Key_Switching_Time message that OLT sends just sends the multi-frame numbering that acknowledge message represents to obtain the key switch frame to OLT.When the key switch frame begins, OLT duplicates the content of local shadow_key_register register to local active_key_register register, ONU duplicates the content of local shadow_key_register register to the active_key_register register, and OLT and ONU bring into use new key that downlink data is carried out encryption and decryption from the key switch frame.
In the key switch step, after sending Key_Switching_Time message, if OLT does not receive the affirmation message of ONU, OLT can't know whether ONU receives Key_Switching_Time message, at this moment no matter whether OLT carry out the key switching, might cause that all the current key between OLT and the ONU is inconsistent: ONU does not receive the key switching command of OLT if OLT carries out the key switching, and ONU key can not take place switches; Do not switch if OLT does not carry out key, and ONU has received the Key_Switching_Tme message that OLT sends, just OLT does not receive the affirmation message that ONU sends, and ONU key can take place switches.Therefore, existing key handoff procedure may cause the key of OLT and ONU asynchronous in the PON system, and the asynchronous received data of ONU end that will cause of key can't be deciphered, thereby causes the loss of data of ONU end.Also there is similar problem in other PON systems such as the systems such as APON, BPON, EPON, gives unnecessary details no longer one by one.
Summary of the invention
In view of this, main purpose of the present invention is to provide key updating method in a kind of EPON, and to guarantee that the ONU end can send data to the OLT end all the time and be decrypted, it is accurate to guarantee that the ONU termination is received data.
For achieving the above object, technical scheme of the present invention is achieved in that
Key updating method in a kind of EPON comprises:
A, optical network unit ONU generate new key after receiving the key request that optical line terminal OLT sends, and by being generated the new key allocation index, at described new key of local cache and index thereof, and described new key and index thereof are sent to OLT;
B, ONU receive the index that parses the key of enciphered data behind the packet of OLT end, judge the index of resolving whether identical with the index of the current setting key of ONU, in local cache, do not search the key identical simultaneously, replace current setting key and index thereof with the new key and the index thereof that find out with the parsing index.
Wherein, also comprise step between steps A, the B:
OLT is new key and the index thereof that receives with current key and index upgrade thereof, and uses renewal back key to carry out data encryption, comprises the index of key in the packet of encapsulation enciphered data.
Wherein, the current setting key among the step B is stored in designated storage area among the ONU.
Wherein, the current setting key among the step B is the default key of deciphering received data among the ONU.
Wherein, among the step B the index of the index of resolving and current setting key use current setting key to data decryption in the received data packet when identical.
Wherein, described index is a key identification.
Wherein, in gigabit passive optical network GPON, when OLT sends described index described index and enciphered data are encapsulated in GEM (G-PON Encapsulation Mode) frame together, ONU receives that the back obtains described index by the described GEM frame of direct parsing.
The present invention is provided with index information for key, can determine easily by the similarities and differences of index information whether the key between ONU, the OLT is identical.ONU is not the deciphering key that this new key is updated to immediately the current setting of ONU after answering the request of OLT to generate new key, but need be sure of to upgrade after the OLT side has been used new key after receiving OLT side data bag again.After the cipher key index in the ONU parsing OLT transmission packet, in the decruption key index of self storage, find out the key identical and be the decruption key that should use among the ONU, before key upgrades once more, adopt the enciphered data of institute's definite secret key decryption OLT end transmission all the time with resolving index.In the key updating process, no matter whether the OLT end is consistent with the key updating of ONU end, and ONU always can select with OLT and hold the key of the used key agreement of enciphered data that the enciphered data that is received is decrypted.The present invention has fully guaranteed the reliability of data interaction between OLT and the ONU.
Description of drawings
Fig. 1 is the realization flow schematic diagram of key updating method in the EPON of the present invention.
Embodiment
Core concept of the present invention is: in order to ensure OLT among the PON to the ONU safety of data, the data that OLT sends to the ONU side need to encrypt, and the employed data encryption key of OLT side is generated by purpose ONU just, like this, the enciphered data that OLT transmitted only can be deciphered by purpose ONU, and other ONU that are connected with OLT receive enciphered data and also lost efficacy because of not deciphering.Undoubtedly, the key agreement of ONU and OLT side is vital, if the inconsistent ONU that will cause does not receive the data that OLT sends.At present, message informing mechanism is adopted in key updating between OLT and the ONU, under normal circumstances this mechanism can guarantee key agreement between OLT and the ONU, if but updating message bust this, will cause the key between OLT and the ONU inconsistent, thereby cause the ONU side joint to can not receive the data of OLT side, at this situation, the present invention is provided with index information for key, determine by index information whether key is identical, ONU at first parses the cipher key index in the OLT transmission packet, in the cipher key index of self storing, find out the index identical again with resolving index, thereby determine the decruption key that should use among the ONU, before key upgrades once more, adopt the enciphered data of institute's definite secret key decryption OLT end transmission all the time.In the key updating process, no matter whether the OLT end is consistent with the key updating of ONU end, and ONU always can select the key consistent with OLT the enciphered data that is received is decrypted.Describe the present invention below in conjunction with accompanying drawing.
Fig. 1 is the realization flow schematic diagram of key updating method in the EPON of the present invention, and as shown in Figure 1, key updating method may further comprise the steps in the EPON of the present invention, wherein to specify with GPON be example:
Step 101:ONU generates new key after receiving the key request that OLT sends, and by being generated the new key allocation index, buffer memory new key and index thereof are sent to OLT with new key and index thereof.
In OLT side and the ONU communication process, according to the data security needs, needs upgrade with certain ONU between key the time to this ONU transmission key request Request_Key message.ONU receives Request_Key message and generates new key, and distributes corresponding index for this new key.Here, it promptly is the sign specific key that cipher key index mainly acts on, when ONU generates key at every turn, always by being generated index of encryption key distribution.Index can be the random number of certain numerical digit, but the also number of certain numerical digit of circulation in regular turn for example can in 8 number of characters 0~255, produce at random, also can circulate in regular turn as the index of key from 0~255.ONU keeps in new key and cipher key index at the shadow_key_register of this locality, and replys Encryption_Key message to newly-generated key and the cipher key index of OLT transmission by key.Can be divided into 2 times and send, each Encryption_Key message is carried a part of new key.G.984.3 the Encryption_Key in supports to carry cipher key index.Among the ONU, also store the key to OLT side enciphered data deciphering usefulness, this decruption key is stored in the storage area of setting, also is ONU sends data decryption to the OLT side default key.The present invention does not directly replace this default key with newly-generated key, but is confirming that OLT has adopted newly-generated key just to use the default key of current setting among the newly-generated key replacement ONU under to transmission data encryption situation.
Step 102:OLT is new key and the index thereof that receives with current key and index upgrade thereof, and uses renewal back key to carry out data encryption, comprises the index of key in the packet of encapsulation enciphered data.
OLT receives after described ONU sends key and reply Encryption_Key message, extracts wherein key and index information thereof, and replaces old key and the index thereof of the described ONU that is stored this locality with this new key and index thereof respectively.OLT needs when described ONU sends data, uses the new key after replacing that desire transmission data are encrypted, and used new key index also is encapsulated in the packet.The OLT side is promptly replaced the original cipher key of described ONU with this new key behind the new key of receiving certain ONU and index thereof, and indicate the index of the key that uses in Frame.Cipher key index when sending and enciphered data be encapsulated in together in GEM (G-PON Encapsulation Mode) frame, after ONU receives, can obtain cipher key index by direct parsing GEM frame.The GEM frame structure that comprises cipher key index is as shown in Table 1:
| Payload length 12 bits | GEM Port ID 12 bits | Payload type 3 bits | The frame head mistake is controlled 13 bits | Cipher key index 8 bits | Payload |
Table one
Step 103:ONU receives the index that parses the key of enciphered data behind the packet of OLT end, judge whether identical with the index of current setting key, in the new key of buffer memory, do not search the key identical simultaneously, replace current setting key and index thereof with the new key and the index thereof that find out with the parsing index.
ONU resolves after more receiving the packet that OLT sends after the new key first, extract the cipher key index in the packet, and with ONU in the decruption key index of current setting compare, judge whether two index are identical, if identical, illustrate that OLT upgrades the newly-generated key failure of ONU, OLT still uses the key before upgrading to carry out data encryption, the ONU side is not carried out key updating operation, the newly-generated key that deletion is kept in.And if the parsing cipher key index is different with the decruption key index of current setting among the ONU, then search the index identical in the cipher key index of in ONU, keeping in resolving cipher key index, find out the back and replace the default key of ONU with this new key index and key, and with this renewal back key the data that OLT sends are decrypted, up to the request comes of next update key.
Key updating method of the present invention is applicable in the various EPONs, in APON, BPON, EPON and GPON.
The present invention has fully guaranteed the reliability of data interaction between OLT and the ONU, and realizes simple.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (7)
1. key updating method in the EPON is characterized in that this method comprises:
A, optical network unit ONU generate new key after receiving the key request that optical line terminal OLT sends, and by being generated the new key allocation index, at described new key of local cache and index thereof, and described new key and index thereof are sent to OLT;
B, ONU receive the index that parses the key of enciphered data behind the packet of OLT end, judge the index of resolving whether identical with the index of the current setting key of ONU, in local cache, do not search the key identical simultaneously, replace current setting key and index thereof with the new key and the index thereof that find out with the parsing index.
2. key updating method in the EPON according to claim 1 is characterized in that, also comprises step between steps A, the B:
OLT is new key and the index thereof that receives with current key and index upgrade thereof, and uses renewal back key to carry out data encryption, comprises the index of key in the packet of encapsulation enciphered data.
3. key updating method in the EPON according to claim 2 is characterized in that, the current setting key among the step B is stored in designated storage area among the ONU.
4. key updating method in the EPON according to claim 2 is characterized in that, the current setting key among the step B is the default key of deciphering received data among the ONU.
5. key updating method in the EPON according to claim 4 is characterized in that, among the step B the index of the index of resolving and current setting key use current setting key to data decryption in the received data packet when identical.
6. according to key updating method in each described EPON in the claim 1 to 5, it is characterized in that described index is a key identification.
7. key updating method in the EPON according to claim 2, it is characterized in that, in gigabit passive optical network GPON, when OLT sends described index described index and enciphered data are encapsulated in the G-PON Encapsulation Mode GEM frame together, ONU receives that the back obtains described index by the described GEM frame of direct parsing.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101815669A CN101183934A (en) | 2007-10-23 | 2007-10-23 | Cipher key updating method in passive optical network |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2007101815669A CN101183934A (en) | 2007-10-23 | 2007-10-23 | Cipher key updating method in passive optical network |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101183934A true CN101183934A (en) | 2008-05-21 |
Family
ID=39449032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2007101815669A Pending CN101183934A (en) | 2007-10-23 | 2007-10-23 | Cipher key updating method in passive optical network |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101183934A (en) |
Cited By (14)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101834722A (en) * | 2010-04-23 | 2010-09-15 | 西安西电捷通无线网络通信股份有限公司 | Communication method for encrypted equipment and unencrypted equipment hybrid networking |
| CN101841413A (en) * | 2010-05-20 | 2010-09-22 | 西安西电捷通无线网络通信股份有限公司 | Creation method of end-to-end secure link and system |
| CN101902324A (en) * | 2010-04-29 | 2010-12-01 | 天维讯达无线电设备检测(北京)有限责任公司 | Method and system for establishing communication key between nodes |
| CN101998188A (en) * | 2009-08-27 | 2011-03-30 | 中兴通讯股份有限公司 | Encryption/decryption method and system for passive optical network |
| CN101800638B (en) * | 2009-02-09 | 2012-07-18 | 株式会社日立制作所 | Optical network system and method of changing encryption keys |
| CN103166758A (en) * | 2011-12-19 | 2013-06-19 | 中兴通讯股份有限公司 | Method and system for gigabit-capable passive optical network (GPON) uplink advanced encryption standard (AES) encryption key updating |
| CN101841743B (en) * | 2009-03-19 | 2014-03-12 | 中兴通讯股份有限公司 | Key switching method, optical line terminal and optical network unit |
| CN101998193B (en) * | 2009-08-25 | 2015-10-21 | 中兴通讯股份有限公司 | The cryptographic key protection method of EPON and system |
| CN105592040A (en) * | 2015-07-29 | 2016-05-18 | 杭州华三通信技术有限公司 | Security registration method and equipment for implementing ONU in EPON |
| CN106230585A (en) * | 2016-07-22 | 2016-12-14 | 安徽皖通邮电股份有限公司 | A kind of method that quantum key Fast synchronization updates |
| CN106301768A (en) * | 2015-05-18 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of methods, devices and systems of key updating based on Optical Transmission Network OTN OTN |
| WO2017092465A1 (en) * | 2015-11-30 | 2017-06-08 | 深圳市中兴微电子技术有限公司 | Broadcast packet encryption method, olt, onu, and computer storage medium |
| CN108494549A (en) * | 2018-02-27 | 2018-09-04 | 北京赛博兴安科技有限公司 | Cipher key index consulting device, system and method based on FPGA |
| CN109756326A (en) * | 2017-11-07 | 2019-05-14 | 中兴通讯股份有限公司 | Quantum encryption communication method, equipment and computer readable storage medium |
-
2007
- 2007-10-23 CN CNA2007101815669A patent/CN101183934A/en active Pending
Cited By (21)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101800638B (en) * | 2009-02-09 | 2012-07-18 | 株式会社日立制作所 | Optical network system and method of changing encryption keys |
| CN101841743B (en) * | 2009-03-19 | 2014-03-12 | 中兴通讯股份有限公司 | Key switching method, optical line terminal and optical network unit |
| CN101998193B (en) * | 2009-08-25 | 2015-10-21 | 中兴通讯股份有限公司 | The cryptographic key protection method of EPON and system |
| CN101998188A (en) * | 2009-08-27 | 2011-03-30 | 中兴通讯股份有限公司 | Encryption/decryption method and system for passive optical network |
| CN101834722A (en) * | 2010-04-23 | 2010-09-15 | 西安西电捷通无线网络通信股份有限公司 | Communication method for encrypted equipment and unencrypted equipment hybrid networking |
| CN101902324B (en) * | 2010-04-29 | 2012-11-07 | 天维讯达无线电设备检测(北京)有限责任公司 | Method and system for establishing communication key between nodes |
| CN101902324A (en) * | 2010-04-29 | 2010-12-01 | 天维讯达无线电设备检测(北京)有限责任公司 | Method and system for establishing communication key between nodes |
| CN101841413B (en) * | 2010-05-20 | 2012-03-07 | 西安西电捷通无线网络通信股份有限公司 | Creation method of end-to-end secure link and system |
| WO2011143943A1 (en) * | 2010-05-20 | 2011-11-24 | 西安西电捷通无线网络通信股份有限公司 | Method, system and apparatus for establishing end-to-end security connection |
| CN101841413A (en) * | 2010-05-20 | 2010-09-22 | 西安西电捷通无线网络通信股份有限公司 | Creation method of end-to-end secure link and system |
| CN103166758A (en) * | 2011-12-19 | 2013-06-19 | 中兴通讯股份有限公司 | Method and system for gigabit-capable passive optical network (GPON) uplink advanced encryption standard (AES) encryption key updating |
| CN106301768A (en) * | 2015-05-18 | 2017-01-04 | 中兴通讯股份有限公司 | A kind of methods, devices and systems of key updating based on Optical Transmission Network OTN OTN |
| CN106301768B (en) * | 2015-05-18 | 2020-04-28 | 中兴通讯股份有限公司 | Method, device and system for updating key based on optical transport network OTN |
| CN105592040B (en) * | 2015-07-29 | 2018-11-09 | 新华三技术有限公司 | The secure registration method and apparatus of ONU is realized in EPON |
| CN105592040A (en) * | 2015-07-29 | 2016-05-18 | 杭州华三通信技术有限公司 | Security registration method and equipment for implementing ONU in EPON |
| WO2017092465A1 (en) * | 2015-11-30 | 2017-06-08 | 深圳市中兴微电子技术有限公司 | Broadcast packet encryption method, olt, onu, and computer storage medium |
| CN106817352A (en) * | 2015-11-30 | 2017-06-09 | 深圳市中兴微电子技术有限公司 | Broadcasting packet encryption method and device |
| CN106230585A (en) * | 2016-07-22 | 2016-12-14 | 安徽皖通邮电股份有限公司 | A kind of method that quantum key Fast synchronization updates |
| CN109756326A (en) * | 2017-11-07 | 2019-05-14 | 中兴通讯股份有限公司 | Quantum encryption communication method, equipment and computer readable storage medium |
| CN109756326B (en) * | 2017-11-07 | 2022-04-08 | 中兴通讯股份有限公司 | Quantum encryption communication method, equipment and computer readable storage medium |
| CN108494549A (en) * | 2018-02-27 | 2018-09-04 | 北京赛博兴安科技有限公司 | Cipher key index consulting device, system and method based on FPGA |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101183934A (en) | Cipher key updating method in passive optical network | |
| CN1319329C (en) | Automatic method for reporting MAC address from device of optical network unit at remote side to network management system | |
| CN101102152B (en) | Method for guaranteeing data security in passive optical network | |
| US8280055B2 (en) | Optical network system and method of changing encryption keys | |
| CN101677414A (en) | Method, system and device for leading user side terminal to obtain password | |
| CN102656838A (en) | Optical network terminal management control interface-based passive optical network security enhancement | |
| EP2768160A1 (en) | Method and apparatus for processing uplink data abnormity | |
| CN102377479A (en) | Data synchronization method and system and optical network units | |
| CN101998193B (en) | The cryptographic key protection method of EPON and system | |
| CN103023579A (en) | Method for conducting quantum secret key distribution on passive optical network and passive optical network | |
| CN203251308U (en) | Passive optical network | |
| CN101247220B (en) | Method for cryptographic key exchange of passive optical network system | |
| CN102149027B (en) | Path switching method, system and downlink data transmission method | |
| EP2439871B1 (en) | Method and device for encrypting multicast service in passive optical network system | |
| US20150288683A1 (en) | Method, device, and system for authentication | |
| CN101778311A (en) | Distribution method of optical network unit marks and optical line terminal | |
| CN101388806B (en) | Cipher consistency detection method and apparatus | |
| CN101499898A (en) | Method and apparatus for cipher key interaction | |
| CN102035642B (en) | Selection and synchronization method for counter in block cipher counter running mode | |
| CN103166758A (en) | Method and system for gigabit-capable passive optical network (GPON) uplink advanced encryption standard (AES) encryption key updating | |
| CN101282177A (en) | Data transmission method and terminal | |
| CN101388765B (en) | Ciphering mode switching method for G bit passive optical fiber network system | |
| CN101998180B (en) | Method and system for supporting version compatibility between optical line terminal and optical network unit | |
| JP5368519B2 (en) | Optical line termination device and key switching method | |
| CN103516515A (en) | Encryption/decryption seamless switch achieving method, OLT and ONU in GPON system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20080521 |