CN101499898A - Method and apparatus for cipher key interaction - Google Patents
Method and apparatus for cipher key interaction Download PDFInfo
- Publication number
- CN101499898A CN101499898A CNA2008100061368A CN200810006136A CN101499898A CN 101499898 A CN101499898 A CN 101499898A CN A2008100061368 A CNA2008100061368 A CN A2008100061368A CN 200810006136 A CN200810006136 A CN 200810006136A CN 101499898 A CN101499898 A CN 101499898A
- Authority
- CN
- China
- Prior art keywords
- key
- network unit
- data
- safe
- optical network
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
Images
Landscapes
- Storage Device Security (AREA)
Abstract
The invention discloses a key interacting method, which is used for the data key interaction between an optical line terminal and an optical network unit; wherein, a data key is used for data encryption. The key interacting method comprises the following steps: the optical line terminal sends a data key updating request to the optical network unit and carries related information of a security key in the data key updating request, and the security key is used for encrypting the data key; the optical network unit obtains the security key according to the related information of the security key and uses the security key to encrypt the updated data key which is requested by the optical line terminal; and the optical network unit sends the encrypted data key to the optical line terminal. The invention further discloses a key interacting device. The key interacting method and the device thereof can be used for realizing safe key interaction between the optical line terminal and the optical network unit, and consequently lowering the possibility of data key interception and improving the data exchange security between the optical line terminal and the optical network unit.
Description
Technical field
The present invention relates to communication technical field, relate in particular to the key exchange method and the device of a kind of PON (Passive OpticalNetwork, EPON) system.
Background technology
PON is based on the ITU-T G.984 series and the broadband passive light access technology of IEEE 802.3 series, the PON system is usually by optical line terminal (Optical Line Terminal, OLT), optical network unit (Optical Network Unit, ONU) and Optical Distribution Network (Optical Distribution Network ODN) forms.ODN is generally and a little arrives multipoint configuration, and an OLT connects a plurality of ONU.The data that OLT mails to ONU are called downlink data, and the data that ONU mails to OLT are called upstream data.
In the PON system, downlink data has natural broadcast characteristic, and the data that OLT sends can be received by all ONU of the second line of a couplet.Consider fail safe, G.984.3 ITU-T uses symmetric cryptosystem that downlink data is encrypted with IEEE 802.3 regulations, and key produces and send to OLT by ONU.
Present ITU-T G.984.3 with IEEE 802.3 standards in, ONU directly sends key plain to OLT, therefore up direction have that key plain eavesdropped may.
At present, at the problem of this fail safe, effective solution is not proposed as yet.
Summary of the invention
Consider the problems referred to above and make the present invention, for this reason, main purpose of the present invention is to provide a kind of cipher key interaction method and device, has solved the unsafe problem of swap data key between optical line terminal and optical network unit.
According to embodiments of the invention, a kind of cipher key interaction method is provided, the data key that is used between optical line terminal and the optical network unit is mutual, and wherein, described data key is used for data are encrypted.
This method comprises: optical line terminal sends the data key update request to optical network unit, and in the key updating request relevant information of key safe to carry, wherein, safe key is used for the data key is encrypted; Optical network unit obtains safe key according to the relevant information of safe key, and with safe key optical line terminal request data updated key is encrypted; Optical network unit is sent to optical line terminal with the data encrypted key.
Wherein, optical line terminal as the safe key source, and is provided with relevant information according to the safe key source with the system known per configuration of itself and optical network unit or system parameters.
Wherein, the type in safe key source comprises: the safe key group that optical line terminal and optical network unit are preserved in advance, the version of optical network unit reflection, the sequence number of optical network unit, the IP address of optical network unit, the Media Access Control Address and the ranging information of optical network unit, wherein, the type in each safe key source is all corresponding to separately safe key Source Type information.
Wherein, the type in the safe key source is under the situation of safe key group, and relevant information comprises the sign of safe key in the safe key group and the safe key Source Type information of safe key group correspondence.
Wherein, be that relevant information comprises original position and length and the corresponding safe key Source Type information of version reflection in the version reflection under the situation of version reflection of optical network unit in the type in safe key source.
Wherein, when the type in safe key source was in the Media Access Control Address of IP address, optical network unit of sequence number, the optical network unit of optical network unit and the ranging information one, relevant information was the safe key Source Type information corresponding with it.
In addition, this method further comprises: optical line terminal obtains the data key is encrypted employed safe key according to relevant information, and the data encrypted key that receives is decrypted.
According to another embodiment of the present invention, provide a kind of cipher key interaction device, the data key that is used between optical line terminal and the optical network unit is mutual, and wherein, data key is used for data are encrypted.
This device comprises: sending module, be used for the data key update request is sent to optical network unit from optical line terminal, and in the key updating request relevant information of key safe to carry, wherein, safe key is used for the data key is encrypted; And will be sent to optical line terminal from optical network unit through safe key ciphered data key; Encrypting module, optical network unit obtains safe key according to the relevant information of safe key, and with safe key optical line terminal request data updated key is encrypted;
This device further comprises: determination module is used for the configuration of the system known per of optical line terminal and optical network unit or system parameters as the safe key source, and according to the safe key source relevant information is set.
This device further comprises: deciphering module, be positioned at optical line terminal, and be used for obtaining the data key is encrypted employed safe key, and the data encrypted key that receives is decrypted according to relevant information.
By technique scheme of the present invention, can between optical line terminal and optical network unit, realize the cipher key change of safety, reduced the possibility that data key is eavesdropped, the fail safe that has improved exchanges data between optical line terminal and the optical network unit.
Description of drawings
Accompanying drawing described herein is used to provide further understanding of the present invention, constitutes the application's a part, and illustrative examples of the present invention and explanation thereof are used to explain the present invention, do not constitute improper qualification of the present invention.In the accompanying drawings:
Fig. 1 is the flow chart according to the cipher key interaction method of the inventive method embodiment; And
Fig. 2 is the block diagram according to the cipher key interaction device of apparatus of the present invention embodiment.
Embodiment
Below with reference to accompanying drawing, describe the specific embodiment of the present invention in detail.
Method embodiment
In the present embodiment, provide a kind of cipher key interaction method, the data key that is used between OLT and the ONU is mutual, and wherein, described data key is used for data are encrypted.
As shown in Figure 1, comprise according to the cipher key interaction method of present embodiment: step S102, network element sends the data key update request, and in the key updating request relevant information of key safe to carry, wherein, safe key is used for the data key is encrypted; Step S104, the network unit obtains safe key according to the relevant information of safe key, and with safe key OLT request data updated key is encrypted; Step S106ONU is sent to OLT with the data encrypted key.
Wherein, OLT as the safe key source, and is provided with relevant information according to the safe key source with the system known per configuration of itself and ONU or system parameters.That is to say that between OLT and ONU during the swap data key, send after the data key encrypted with safe key, the encrypting and decrypting method of safe key can be the same with the encrypting and decrypting method of data key, also can be different again.
Wherein, the type in safe key source includes but not limited to: the safe key group that OLT and ONU preserve in advance, the version of ONU reflection, the sequence number of ONU, the IP address of ONU, Media Access Control Address and the ranging information of ONU, wherein, the type in each safe key source is all corresponding to separately safe key Source Type information.Wherein, safe key group that OLT and ONU preserve in advance and the version of ONU reflection position system configuration, and the Media Access Control Address of the IP address of the sequence number of ONU, ONU, ONU and ranging information position system parameters.
Wherein, the type in the safe key source is under the situation of safe key group, and relevant information comprises the sign of safe key in the safe key group and the safe key Source Type information of safe key group correspondence.
Wherein, be that relevant information comprises original position and length and the corresponding safe key Source Type information of version reflection in the version reflection under the situation of version reflection of ONU in the type in safe key source.
Wherein, when the type in safe key source was in the Media Access Control Address of IP address, ONU of sequence number, the ONU of ONU and the ranging information one, relevant information was the safe key Source Type information corresponding with it.That is, only need which system parameters of employing is informed ONU this moment.
Preferably, can pre-configured safe key Source Type and the corresponding relation of safe key Source Type information, safe key Source Type information can be a sign, and is arranged in the unappropriated position of key updating request message.
In addition, this method further comprises: OLT obtains the data key is encrypted employed safe key according to relevant information, and the data encrypted key that receives is decrypted.
Below in conjunction with instantiation the present invention is described.
Key in OLT and the default plurality of sharing of ONU; Adopt parameter that OLT and ONU know altogether as key etc.
The key exchange method committed step of example of the present invention is:
Step (1), OLT sends the data key update request to ONU, if safe key is had requirement, can be in the data key update request cipher key related information safe to carry.
Step (2), ONU produces data key, obtains safe key according to the safe key relevant information in the data key update request, upgrades response by data key again after data key is encrypted with safe key and sends to OLT.
Step (3), OLT upgrades the response from data key and obtains through the ciphered data key, and is decrypted to obtain data key with safe key.
Below in conjunction with concrete case description the present invention.
Example 1
In this example, be example with GPON (gigabit passive optical network) system, when for the first time ONU being installed, default some safe keys in ONU, and set different numberings respectively, in OLT, also set identical safe key and numbering.Safe key and numbering between the different ONU require different.
Adopting under the situation of set of cipher key as cipher key source, the specific implementation process is as follows:
OLT determines the safe key numbering and in this locality storage, sends key updating request (Request_Key) message to ONU, to upgrade data key, cipher key number safe to carry in the Request_Key message;
The safe key group acquisition safe key that ONU obtains the safe key numbering and further preserves from this locality from Request_Key message, generate data key, send to OLT by encryption key (Encryption_Key) message again after data key is encrypted with safe key;
OLT obtains safe key according to the safe key numbering of this locality storage, obtains through the ciphered data key from Encryption_Key message, and is decrypted to obtain data key with safe key.
Example 2
In this example, be example with the GPON system.OLT and ONU video as the safe key source with the software version of ONU, because the software version of ONU reflection sends ONU to by OLT, OLT and ONU can obtain the software version reflection of ONU jointly.Because it is less that ONU software version reflection is changed, therefore can guarantee the safety of safe key as long as guarantee ONU software version safety.OLT informs the original position of ONU safe key in the software version reflection.
Adopting under the situation of version reflection as cipher key source, concrete implementation procedure is as follows:
OLT determines the original position of safe key in the software version reflection, and in this locality storage, sends Request_Key message to ONU, the position of safe key in the software version reflection in the Request_Key message;
ONU obtains the position of safe key the software version reflection from Request_Key message, and further obtains safe key from this locality, generates data key, gives OLT by Encryption_Key message again after data key is encrypted with safe key;
OLT obtains safe key according to the position of safe key in the software version reflection of this locality storage, obtains through the ciphered data key from Encryption_Key message, and is decrypted to obtain data key with safe key.
Device embodiment
In the present embodiment, provide a kind of cipher key interaction device, the data key that is used between OLT and the ONU is mutual, and wherein, data key is used for data are encrypted.
As shown in Figure 2, cipher key interaction device according to present embodiment comprises: sending module 202, be used for the data key update request is sent to ONU from OLT, and in the key updating request relevant information of key safe to carry, wherein, safe key is used for the data key is encrypted; And will be sent to OLT from ONU through safe key ciphered data key; Encrypting module 204, ONU obtains safe key according to the relevant information of safe key, and with safe key OLT request data updated key is encrypted;
In addition, this device can further comprise: determination module is used for the configuration of the system known per of OLT and ONU or system parameters as the safe key source, and according to the safe key source relevant information is set.
In addition, this device further comprises: deciphering module, be positioned at OLT, and be used for obtaining the data key is encrypted employed safe key, and the data encrypted key that receives is decrypted according to relevant information.
By technique scheme of the present invention, can between OLT and ONU, realize the cipher key change of safety, reduced the possibility that data key is eavesdropped, the fail safe that has improved exchanges data between OLT and the ONU.
The above is the preferred embodiments of the present invention only, is not limited to the present invention, and for a person skilled in the art, the present invention can have various changes and variation.Within the spirit and principles in the present invention all, any modification of being done, be equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (10)
1. cipher key interaction method, the data key that is used between optical line terminal and the optical network unit is mutual, and wherein, described data key is used for data are encrypted, and described method comprises:
Described optical line terminal sends the data key update request to described optical network unit, and in described key updating request the relevant information of key safe to carry, wherein, described safe key is used for the data key is encrypted;
Described optical network unit obtains described safe key according to the relevant information of described safe key, and with described safe key described optical line terminal request data updated key is encrypted;
Described data key after described optical network unit will be encrypted is sent to described optical line terminal.
2. method according to claim 1 is characterized in that, described optical line terminal as the safe key source, and is provided with described relevant information according to described safe key source with the system known per configuration of itself and described optical network unit or system parameters.
3. method according to claim 2, it is characterized in that, the type in described safe key source comprises: the Media Access Control Address and the ranging information of the safe key group that optical line terminal and described optical network unit are preserved in advance, the version of described optical network unit reflection, the sequence number of described optical network unit, the IP address of described optical network unit, described optical network unit, wherein, the type in each safe key source is all corresponding to separately safe key Source Type information.
4. method according to claim 3, it is characterized in that, type in described safe key source is under the situation of described safe key group, and described relevant information comprises the sign of safe key in the described safe key group and the safe key Source Type information of described safe key group correspondence.
5. method according to claim 3, it is characterized in that, be that described relevant information comprises original position and length and the corresponding safe key Source Type information of described version reflection in the described version reflection under the situation of version reflection of described optical network unit in the type in described safe key source.
6. method according to claim 3, it is characterized in that, when the type in described safe key source was in the Media Access Control Address of the IP address of the sequence number of described optical network unit, described optical network unit, described optical network unit and the ranging information one, described relevant information was the safe key Source Type information corresponding with it.
7. according to each described method in the claim 1 to 6, it is characterized in that, further comprise:
Described optical line terminal obtains described data key is encrypted employed described safe key according to described relevant information, and the described data key after the encryption that receives is decrypted.
8. cipher key interaction device, the data key that is used between optical line terminal and the optical network unit is mutual, and wherein, described data key is used for data are encrypted, and described device comprises:
Sending module is used for the data key update request is sent to described optical network unit from described optical line terminal, and in described key updating request the relevant information of key safe to carry, wherein, described safe key is used for the data key is encrypted; And will be sent to described optical line terminal from described optical network unit through the described data key that described safe key is encrypted;
Encrypting module, described optical network unit obtains described safe key according to the relevant information of described safe key, and with described safe key described optical line terminal request data updated key is encrypted.
9. device according to claim 8, it is characterized in that, further comprise: determination module is used for the configuration of the system known per of described optical line terminal and described optical network unit or system parameters as the safe key source, and according to described safe key source described relevant information is set.
10. according to Claim 8 or 9 described devices, it is characterized in that, further comprise: deciphering module, be positioned at described optical line terminal, be used for obtaining described data key is encrypted employed described safe key, and the described data key after the encryption that receives is decrypted according to described relevant information.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100061368A CN101499898A (en) | 2008-02-03 | 2008-02-03 | Method and apparatus for cipher key interaction |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CNA2008100061368A CN101499898A (en) | 2008-02-03 | 2008-02-03 | Method and apparatus for cipher key interaction |
Publications (1)
| Publication Number | Publication Date |
|---|---|
| CN101499898A true CN101499898A (en) | 2009-08-05 |
Family
ID=40946791
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CNA2008100061368A Pending CN101499898A (en) | 2008-02-03 | 2008-02-03 | Method and apparatus for cipher key interaction |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101499898A (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010145599A1 (en) * | 2009-09-29 | 2010-12-23 | 中兴通讯股份有限公司 | Method and system for implementing information interaction security in passive optical network |
| CN101959189A (en) * | 2010-09-21 | 2011-01-26 | 中兴通讯股份有限公司 | Method and system for managing access password and basic key |
| CN102045601A (en) * | 2009-10-22 | 2011-05-04 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN102256188A (en) * | 2010-01-31 | 2011-11-23 | Pmc-塞拉以色列有限公司 | System for redundancy in ethernet passive optical networks (EPONs) |
| CN114710780A (en) * | 2022-03-16 | 2022-07-05 | 湖南斯北图科技有限公司 | Method for on-orbit updating and management of satellite measurement and control link communication secret key |
-
2008
- 2008-02-03 CN CNA2008100061368A patent/CN101499898A/en active Pending
Cited By (9)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2010145599A1 (en) * | 2009-09-29 | 2010-12-23 | 中兴通讯股份有限公司 | Method and system for implementing information interaction security in passive optical network |
| CN102036128A (en) * | 2009-09-29 | 2011-04-27 | 中兴通讯股份有限公司 | Method and system for realizing information interaction security in Gigabit-capable passive optical network |
| CN102045601A (en) * | 2009-10-22 | 2011-05-04 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN102045601B (en) * | 2009-10-22 | 2015-06-10 | 中兴通讯股份有限公司 | Optical network unit (ONU) activating method and system in gigabit passive optical network (GPON) system |
| CN102256188A (en) * | 2010-01-31 | 2011-11-23 | Pmc-塞拉以色列有限公司 | System for redundancy in ethernet passive optical networks (EPONs) |
| CN102256188B (en) * | 2010-01-31 | 2014-03-05 | Pmc-塞拉以色列有限公司 | System for redundancy in ethernet passive optical networks (EPONs) |
| CN101959189A (en) * | 2010-09-21 | 2011-01-26 | 中兴通讯股份有限公司 | Method and system for managing access password and basic key |
| CN114710780A (en) * | 2022-03-16 | 2022-07-05 | 湖南斯北图科技有限公司 | Method for on-orbit updating and management of satellite measurement and control link communication secret key |
| CN114710780B (en) * | 2022-03-16 | 2024-08-16 | 湖南斯北图科技有限公司 | Method for updating and managing satellite measurement and control link communication key on orbit |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102246487B (en) | Method for increasing security in a passive optical network | |
| AU2010278478B2 (en) | Optical network terminal management control interface-based passive optical network security enhancement | |
| KR100933167B1 (en) | Transmission Method for Authentication and Privacy Guarantee in Tree-structured Networks | |
| US8948401B2 (en) | Method for filtering of abnormal ONT with same serial number in a GPON system | |
| CN105027482A (en) | Authentication and initial key exchange in ethernet passive optical network over coaxial network | |
| CN101150391A (en) | A method, system and device for preventing optical network unit in passive optical network from being counterfeiting | |
| CN101998193B (en) | The cryptographic key protection method of EPON and system | |
| CN101499898A (en) | Method and apparatus for cipher key interaction | |
| US8942378B2 (en) | Method and device for encrypting multicast service in passive optical network system | |
| KR100737527B1 (en) | Method and device for controlling security channel in epon | |
| CN101778311A (en) | Distribution method of optical network unit marks and optical line terminal | |
| CN101282177B (en) | Data transmission method and terminal | |
| CN101998180B (en) | Method and system for supporting version compatibility between optical line terminal and optical network unit | |
| CN101388765B (en) | Ciphering mode switching method for G bit passive optical fiber network system | |
| KR20060063271A (en) | The key distribution technique of link security on epon | |
| CN102237999B (en) | Message treatment method and message dispensing device | |
| CN101998188A (en) | Encryption/decryption method and system for passive optical network | |
| CN102036128A (en) | Method and system for realizing information interaction security in Gigabit-capable passive optical network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C12 | Rejection of a patent application after its publication | ||
| RJ01 | Rejection of invention patent application after publication |
Application publication date: 20090805 |