CN101931830B - Method for upgrading secret key in Gigabit passive optical network and optical line terminal - Google Patents
Method for upgrading secret key in Gigabit passive optical network and optical line terminal Download PDFInfo
- Publication number
- CN101931830B CN101931830B CN200910086698.2A CN200910086698A CN101931830B CN 101931830 B CN101931830 B CN 101931830B CN 200910086698 A CN200910086698 A CN 200910086698A CN 101931830 B CN101931830 B CN 101931830B
- Authority
- CN
- China
- Prior art keywords
- key
- onu
- sign
- mapping table
- frame number
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q11/00—Selecting arrangements for multiplex systems
- H04Q11/0001—Selecting arrangements for multiplex systems using optical switching
- H04Q11/0062—Network aspects
- H04Q11/0067—Provisions for optical access or distribution networks, e.g. Gigabit Ethernet Passive Optical Network (GE-PON), ATM-based Passive Optical Network (A-PON), PON-Ring
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/06—Network architectures or network communication protocols for network security for supporting key management in a packet data network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0891—Revocation or update of secret information, e.g. encryption key update or rekeying
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q11/00—Selecting arrangements for multiplex systems
- H04Q11/0001—Selecting arrangements for multiplex systems using optical switching
- H04Q11/0062—Network aspects
- H04Q2011/0079—Operation or maintenance aspects
Abstract
The invention provides a method for upgrading a secret key in the Gigabit passive optical network and an optical line terminal. The method comprises the following steps: OLT carries out the following steps after completing encrypting a GTC frame: A, acquiring a corresponding new secret key identification, a secret key switching frame number by taking an ONU identification as a first congruent relationship table for index roll polling; B, judging whether value of corresponding new secret key identification is true with regards to each ONU identification and judging whether the corresponding secret key switching frame number is current GTC frame number plus 1, confirming to carrying out secret key switching on corresponding ONU if both answers are positive; C, acquiring corresponding new secret keys to ONU in need of key secret switching by taking the ONU identification as a second congruent relationship table for index roll polling and upgrading the corresponding new secret key identification in the first congruent relationship table to be false; and D, upgrading the corresponding current secret key in a third congruent relationship table by taking the acquired new secret key. In the invention, reliable and timely secret key upgrading of the ONU is realized.
Description
Technical field
The invention belongs to gigabit passive optical network (GPON) technical field, particularly the key updating method in a kind of GPON and optical line terminal (OLT)
Background technology
It is Access Network problem that optical access network can solve fixed network bottleneck, just with tempting cost performance, becomes Access Network new lover at present, and EPON (PON) with the simple and maintenance cost of its topological structure cheap become wherein sharply.As the GPON of one of PON major technique, when attracting operator to enrich oam (OAM) function, that also with technology, realizes is numerous and diversely slowing down commercial progress.
In a GPON system, the optical network unit (ONU) of a plurality of user sides of the optical line terminal of a local side (OLT) master control, OLT with special speed by the Transmission Convergence of regular length (GTC) frame downlink broadcast to ONU.In GTC frame, comprise the data to all ONU, therefore an ONU can receive OLT to the data of other all ONU, and directly transmit these downlink datas, will have no can say safely, therefore need to introduce encryption mechanism, for example, present widely used descending advanced ciphering system (AES) encryption mechanism.Different ONU have different AES keys, and the key of each ONU only has it oneself to know with OLT, and OLT, with the data of the specific ONU of specific secret key encryption, so just only has this specific ONU can decrypt correct data.But if key is unalterable, malice ONU also can easy crack out and once and for all is used, more need a little keys to carry out cycle renewal for this reason, thereby to prevent that the malice of key from cracking the descending fail safe of basic assurance.
The key updating process of AES was initiated by the OLT cycle, ONU produces new key after receiving OLT the corresponding command, when the reservation of controlling oneself is a, copy is a up to OLT, OLT receives and configures new key switching time after new key, oneself also retain a and copy a descending to ONU, key refers to descending GTC frame number here switching time, and OLT and ONU specify frame number to switch the correctness of guarantee data at this simultaneously.New key is switched and after old secret key encryption data send and before the transmission of new key enciphered data, be completed, and each switching must and can only be carried out once, also to try one's best and complete rapidly to guarantee that all ONU new keys can be switched simultaneously, and will avoid affecting downlink data processing speed.
In current AES key update mechanism, the key that just starts next ONU after the key that completes an ONU switches switches, the key of single ONU switches to be monopolized and makes overall key long switching time resource, cause on the one hand every secondary key switching to have number to limit to system and bring defect, cause on the other hand the reduction of actual downstream speed, the descending cutout of OLT that may cause thus some design even system is restarted.
Therefore, how to realize and in GPON downlink data is processed, carry out reliably just becoming technical problem urgently to be resolved hurrily with key updating timely.
Summary of the invention
Technical problem to be solved by this invention is to provide key updating method and the optical line terminal in a kind of gigabit passive optical network, to realize to ONU reliably and key updating timely.
A key updating method in gigabit passive optical network, comprises, following three mapping tables are set in optical line terminal:
The first mapping table, storage ONU sign and corresponding new key sign, key switch frame number;
The second mapping table, storage ONU sign and corresponding new key;
The 3rd mapping table, storage ONU sign and corresponding current key;
After OLT finishes the encryption when front lower GTC frame, executed in parallel following steps:
A, with ONU, be designated index poll the first mapping table, obtain corresponding new key sign, key and switch frame number;
B, for each ONU sign, judge whether the value of corresponding new key sign is true, and judge that corresponding key switches whether frame number is that current GTC frame number adds 1, if judged result is, be to determine and need to carry out key switching to corresponding ONU;
C, for the ONU that need to carry out key switching, with ONU, be designated search index the second mapping table, obtain corresponding new key, and the value of corresponding new key sign in the first mapping table be updated to vacation;
D, with the new key that gets, upgrade corresponding current key in the 3rd mapping table.
Above-mentioned method, also comprises in steps A:
After having inquired about last entry, start a timer, after timer overflows, the downlink data processing module in indication OLT is carried out the encryption of next GTC frame.
Above-mentioned method, wherein, the timing of described timer is not less than: the ONU execution of step B corresponding for last entry inquiring arrives the needed time of step D.
Above-mentioned method, wherein, described key is advanced ciphering system AES key.
An optical line terminal, comprising: downlink data processing module, the first enquiry module, judge module, the second enquiry module, key updating module and following three mapping tables:
The first mapping table, storage ONU sign and corresponding new key sign, key switch frame number;
The second mapping table, storage ONU sign and corresponding new key;
The 3rd mapping table, storage ONU sign and corresponding current key;
Described downlink data processing module, after the encryption of current descending GTC frame is finished, sends to described judge module by current GTC frame number, and triggers described the first enquiry module;
Described the first enquiry module, for be designated index poll the first mapping table with ONU, obtain corresponding new key sign, key and switches frame number;
Described judge module, for for each ONU sign, judge whether the value of corresponding new key sign is true, and judge that corresponding key switches whether frame number is that current GTC frame number adds 1, if judged result is, be to determine and need to carry out key switching to corresponding ONU;
Described the second enquiry module, for the ONU for carrying out key switching, is designated search index the second mapping table with ONU, obtains corresponding new key, and the value of corresponding new key sign in the first mapping table is updated to vacation;
Described key updating module, upgrades the corresponding current key of the 3rd mapping table for the new key to get.
The embodiment of the present invention is carried out key handoff procedure with water operation, can significantly improve key switch speed, thereby guaranteed the promptness of ONU key updating, made can upgrade the key of all ONU in a round key switches, and then improved the stability of downstream data flow.
Accompanying drawing explanation
Fig. 1 is the structural representation of the optical line terminal of the embodiment of the present invention;
Fig. 2 is the level Four stream treatment flow chart in the key updating method of the embodiment of the present invention.
Embodiment
For making the object, technical solutions and advantages of the present invention clearer, describe the present invention below in conjunction with the accompanying drawings and the specific embodiments.
With reference to Fig. 1, the optical line terminal of the embodiment of the present invention (OLT), mainly comprises: downlink data processing module, the first enquiry module, judge module, the second enquiry module, key updating module and the first mapping table (SWITCH table), the second mapping table (SHADOW table) and the 3rd mapping table (ACTIVE table).
Wherein: SWITCH table, storage ONU sign (ONU ID) and corresponding new key sign, key switch frame number; SHADOW table, storage ONU sign and corresponding new key; ACTIVE table, storage ONU sign and corresponding current key.
Key updating process was initiated by the OLT cycle, ONU produces new key after receiving OLT the corresponding command, when the reservation of controlling oneself is a, copy is a up to OLT, OLT stores ONU sign and corresponding new key in SHADOW table into after receiving new key, and produce key and switch frame number (new key switching time), ONU sign and corresponding new key sign (value is now true), key switching frame number are stored in SWITCH table, and it is a descending to ONU that described key is switched to frame number copy.Described new key is designated a logical type variable, is worth for true time represents corresponding new key and also switches, and is worth for fictitious time, represents that corresponding new key switches.
Downlink data processing module is encrypted GTC frame, the key using is the current key of storage in ACTIVE table, that is, from ACTIVE table, according to ONU sign, search current key, according to the current key finding, the GTC frame of corresponding ONU is encrypted.After encryption finishes, current GTC frame number is sent to described judge module, and trigger described the first enquiry module, that is, trigger key handoff procedure.Key handoff procedure is to carry out in the gap of every two frames, adopts level Four flowing water to carry out.
The first enquiry module, carries out one-level water operation: with ONU, be designated index poll SWITCH table, obtain corresponding new key sign, key and switch frame number.
Judge module, carry out secondary water operation: for each ONU sign, judge whether the value of corresponding new key sign is true, and judge that corresponding key switches whether frame number is that current GTC frame number adds 1, if judged result is, be to determine and need to carry out key switching to corresponding ONU.Judge module has a Query Result just to start to carry out at the first enquiry module, needn't wait to be polled completing.
The second enquiry module, carries out three grades of water operations: for the ONU that need to carry out key switching, with ONU, be designated search index SHADOW table, obtain corresponding new key, and the value of corresponding new key sign in SWITCH table is updated to vacation.The second enquiry module defines the just execution of ONU that need to carry out key switching at judge module, do not need to wait for that judge module all completes the judgement of all ONU.
Key updating module, carries out level Four water operation: the current key pair of upgrading corresponding ONU in ACTIVE table with the new key getting.Key updating module is just carried out when the second enquiry module has Query Result, does not need to wait for that the second enquiry module completes all inquiries.
Wherein, described the first enquiry module, after having inquired about last entry, also starts a timer, after timer overflows, indicates described downlink data processing module to carry out the encryption of next GTC frame.
The timing of described timer is not less than: described judge module, described the second enquiry module and described key updating module are carried out the needed time sum of corresponding operating for ONU corresponding to last entry inquiring respectively.That is to say, after guaranteeing the operation of all ONU signs all to complete, then carry out the encryption of next GTC frame.
Visible, what the above-mentioned module of the embodiment of the present invention was carried out is stream treatment (parallel processing), needn't wait all modules all to complete carrying out the processing to next ONU after the processing of an ONU again, like this, can significantly improve key switch speed.
In addition, in the present embodiment, the type of described key being not construed as limiting, can be AES key, can be also the key of the other types used in GPON.
With reference to Fig. 2, for the level Four stream treatment process in the key updating method of the embodiment of the present invention as follows:
Descending GTC frame end starts a round key and switches, and every key of realizing fast all ONU with level Four flowing water of taking turns all switches, and GTC frame end triggers new round one-level flowing water to start;
In one-level flowing water, take ONU ID as index poll SWITCH table, obtain corresponding new key sign, key and switch frame number, ONU ID will travel through all values;
In secondary flowing water, first the new key sign of ONU ID one-level flowing water being obtained judges, if the value of new key sign is true, judge that more corresponding key switches whether frame number is that current GTC frame number adds 1, if the determination result is YES, determine and need to carry out key switching to corresponding ONU, otherwise do not deal with;
In three grades of flowing water, for the ONU that need to carry out key switching, with ONU, be designated search index SHADOW table, obtain corresponding new key, and the value of corresponding new key sign in SWITCH table is updated to vacation;
In level Four flowing water, take ONU ID as index, with the new key getting, upgrade corresponding current key in ACTIVE table.
In addition, in secondary flowing water, also has a parallel work-flow: judge whether to have run through last ONU ID entry from SWITCH table, if, start a timer, after timer overflows, indicating downlink data processing module can carry out the encryption of next GTC frame, and all ONU are used to the new key after nearest handover success.Wherein, the timing of described timer is not less than: for ONU corresponding to last entry inquiring, execute secondary flowing water to the needed time of level Four flowing water; That is to say, after guaranteeing the operation of all ONU signs all to complete, then carry out the encryption of next GTC frame.
Finally should be noted that, above embodiment is only unrestricted in order to technical scheme of the present invention to be described, those of ordinary skill in the art is to be understood that, can modify or be equal to replacement technical scheme of the present invention, and not departing from the spiritual scope of technical solution of the present invention, it all should be encompassed in the middle of claim scope of the present invention.
Claims (8)
1. the key updating method in gigabit passive optical network GPON, is characterized in that, following three mapping tables are set in optical line terminal OLT:
The first mapping table, storage optical network unit ONU sign and corresponding new key sign, key switch frame number;
The second mapping table, storage ONU sign and corresponding new key;
The 3rd mapping table, storage ONU sign and corresponding current key;
After the encryption that OLT converges GTC frame to current downlink transfer finishes, executed in parallel following steps:
A, with ONU, be designated index poll the first mapping table, obtain corresponding new key sign, key and switch frame number;
B, for each ONU sign, judge whether the value of corresponding new key sign is true, and judge that corresponding key switches whether frame number is that current GTC frame number adds 1, if judged result is, be to determine and need to carry out key switching to corresponding ONU;
C, for the ONU that need to carry out key switching, with ONU, be designated search index the second mapping table, obtain corresponding new key, and the value of corresponding new key sign in the first mapping table be updated to vacation;
D, with the new key that gets, upgrade corresponding current key in the 3rd mapping table.
2. the method for claim 1, is characterized in that, in steps A, also comprises:
After having inquired about last entry of the first mapping table, start a timer, after timer overflows, the downlink data processing module in indication OLT is carried out the encryption of next GTC frame.
3. method as claimed in claim 2, is characterized in that:
The timing of described timer is not less than: the ONU execution of step B corresponding for last entry inquiring arrives the needed time of step D.
4. the method for claim 1, is characterized in that:
Described key is advanced ciphering system AES key.
5. an optical line terminal OLT, is characterized in that, comprising: downlink data processing module, the first enquiry module, judge module, the second enquiry module, key updating module and following three mapping tables:
The first mapping table, storage optical network unit ONU sign and corresponding new key sign, key switch frame number;
The second mapping table, storage ONU sign and corresponding new key;
The 3rd mapping table, storage ONU sign and corresponding current key;
Described downlink data processing module, for current downlink transfer being converged after the encryption of GTC frame finishes, sends to described judge module by current GTC frame number, and triggers described the first enquiry module;
Described the first enquiry module, for be designated index poll the first mapping table with ONU, obtain corresponding new key sign, key and switches frame number;
Described judge module, for for each ONU sign, judge whether the value of corresponding new key sign is true, and judge that corresponding key switches whether frame number is that current GTC frame number adds 1, if judged result is, be to determine and need to carry out key switching to corresponding ONU;
Described the second enquiry module, for the ONU for carrying out key switching, is designated search index the second mapping table with ONU, obtains corresponding new key, and the value of corresponding new key sign in the first mapping table is updated to vacation;
Described key updating module, upgrades the corresponding current key of the 3rd mapping table for the new key to get.
6. optical line terminal as claimed in claim 5, is characterized in that:
Described the first enquiry module also for, after having inquired about last entry of the first mapping table, start a timer, after timer overflows, indicate described downlink data processing module to carry out the encryption of next GTC frame.
7. optical line terminal as claimed in claim 6, is characterized in that:
The timing of described timer is not less than: described judge module, described the second enquiry module and described key updating module are carried out the needed time sum of corresponding operating for ONU corresponding to last entry inquiring respectively.
8. optical line terminal as claimed in claim 5, is characterized in that:
Described key is advanced ciphering system AES key.
Priority Applications (2)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910086698.2A CN101931830B (en) | 2009-06-18 | 2009-06-18 | Method for upgrading secret key in Gigabit passive optical network and optical line terminal |
| PCT/CN2009/074866 WO2010145116A1 (en) | 2009-06-18 | 2009-11-09 | Method for key updating in gigabit-capable passive optical network and optical line terminal thereof |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910086698.2A CN101931830B (en) | 2009-06-18 | 2009-06-18 | Method for upgrading secret key in Gigabit passive optical network and optical line terminal |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101931830A CN101931830A (en) | 2010-12-29 |
| CN101931830B true CN101931830B (en) | 2014-03-19 |
Family
ID=43355694
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910086698.2A Active CN101931830B (en) | 2009-06-18 | 2009-06-18 | Method for upgrading secret key in Gigabit passive optical network and optical line terminal |
Country Status (2)
| Country | Link |
|---|---|
| CN (1) | CN101931830B (en) |
| WO (1) | WO2010145116A1 (en) |
Families Citing this family (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN103684762A (en) * | 2012-09-06 | 2014-03-26 | 上海贝尔股份有限公司 | Method for enhancing transmission security in PON (Passive Optical Network) |
| CN108092820B (en) * | 2017-12-27 | 2020-12-01 | 广州芯德通信科技股份有限公司 | Method for limiting ONU access number by OLT through license |
| CN113347165A (en) * | 2021-05-24 | 2021-09-03 | 交通银行股份有限公司 | Method and device for seamlessly replacing secret key, server side and data interaction method |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247665A (en) * | 2008-03-25 | 2008-08-20 | 中兴通讯股份有限公司 | Method for improving gigabit passive optical network reliability |
Family Cites Families (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US7313330B2 (en) * | 2002-08-13 | 2007-12-25 | Samsung Electronics Co., Ltd. | Redundant apparatus and method for gigabit ethernet passive optical network system and frame format thereof |
| KR100523357B1 (en) * | 2003-07-09 | 2005-10-25 | 한국전자통신연구원 | Key management device and method for providing security service in epon |
| KR20060063271A (en) * | 2004-12-07 | 2006-06-12 | 한국전자통신연구원 | The key distribution technique of link security on epon |
| CN101388765B (en) * | 2007-09-14 | 2011-03-16 | 中兴通讯股份有限公司 | Ciphering mode switching method for G bit passive optical fiber network system |
-
2009
- 2009-06-18 CN CN200910086698.2A patent/CN101931830B/en active Active
- 2009-11-09 WO PCT/CN2009/074866 patent/WO2010145116A1/en active Application Filing
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101247665A (en) * | 2008-03-25 | 2008-08-20 | 中兴通讯股份有限公司 | Method for improving gigabit passive optical network reliability |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101931830A (en) | 2010-12-29 |
| WO2010145116A1 (en) | 2010-12-23 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN109213900B (en) | Data modification method, device, equipment and medium for block chain | |
| CN107360135B (en) | Mimicry network operating system, construction device and method | |
| CN102970071B (en) | The method and system of the fast quick-recovery of business after a kind of 10G EPON system power-off restarting | |
| US20170155449A1 (en) | Service Processing Method and Apparatus and Optical Line Terminal | |
| CN101931830B (en) | Method for upgrading secret key in Gigabit passive optical network and optical line terminal | |
| EP2775675B1 (en) | Synchronization method among network devices, network device and system | |
| CN102571353A (en) | Method for verifying legitimacy of home gateway in passive optical network | |
| CN103747370A (en) | Method for realizing ONU automatic authorization in EPON system | |
| US20140156886A1 (en) | Data migration method and apparatus | |
| WO2016124075A1 (en) | Method and device for controlling management mode of optical network unit in passive optical network | |
| CN102790757B (en) | User identification method and system for network transaction | |
| CN110213359A (en) | A kind of car networking networking data delivery system and method based on D2D | |
| US20150288683A1 (en) | Method, device, and system for authentication | |
| CN108093318B (en) | Method for authenticating License of PON system and OLT | |
| CN110350973B (en) | ONU equipment registration method for improving registration name use efficiency | |
| JP6003509B2 (en) | Master station communication device, master station control program, and network system | |
| CN101388765B (en) | Ciphering mode switching method for G bit passive optical fiber network system | |
| CN105959137B (en) | The synchronous method and device of configuration data is realized in a kind of PON system | |
| CN102722535A (en) | Method for avoiding modbus real-time database access conflict | |
| CN103501298A (en) | Method and device for ensuring continuous flow in a link circuit during no-break service upgrade process | |
| US9699023B2 (en) | Initializing a network interface based on stored data | |
| CN101304309A (en) | Method for managing key of GPON system | |
| CN103516515A (en) | Encryption/decryption seamless switch achieving method, OLT and ONU in GPON system | |
| CN111464887A (en) | ONU registration authorization management method and device applied to PON system | |
| CN117135502B (en) | Method and device for upgrading ONU in batches, OLT and storage medium |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |