CN102104478A - Method and device for improving safety of EPON system - Google Patents

Method and device for improving safety of EPON system Download PDF

Info

Publication number
CN102104478A
CN102104478A CN2009101891360A CN200910189136A CN102104478A CN 102104478 A CN102104478 A CN 102104478A CN 2009101891360 A CN2009101891360 A CN 2009101891360A CN 200910189136 A CN200910189136 A CN 200910189136A CN 102104478 A CN102104478 A CN 102104478A
Authority
CN
China
Prior art keywords
key
security
olt
onu
level
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN2009101891360A
Other languages
Chinese (zh)
Inventor
游莉萍
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
ZTE Corp
Original Assignee
ZTE Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by ZTE Corp filed Critical ZTE Corp
Priority to CN2009101891360A priority Critical patent/CN102104478A/en
Publication of CN102104478A publication Critical patent/CN102104478A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Storage Device Security (AREA)

Abstract

The invention discloses a method and a device for improving the safety of an Ethernet passive optical network (EPON) system. The method comprises the following steps that: a safety level is set on an optical line terminal (OLT), wherein different safety levels correspond to different encryption algorithms; and the OLT encrypts data frames of service flow by a corresponding encryption algorithm according to the safety level of the service flow, and transmits the data frames to an optical network unit (ONU), and the ONU receives the data frames of the service flow and decrypts the data frames by a corresponding decryption algorithm and key. Higher requirements of a user on safety and time delay can be met, and the safety of system is improved further.

Description

A kind of method and device thereof of strengthening the EPON security of system
Technical field
The present invention relates to the communications field, the method and the device thereof of particularly a kind of reinforcement EPON (Ethernet PassiveOptical Network, Ethernet passive optical network) security of system.
Background technology
EPON utilizes PON (Passive Optical Network, EPON) topological structure is realized the access of Ethernet, have easy care, bandwidth height, advantage such as cost is low and business function is flexible, the band optical fiber access technology that is considered to a kind of the best, it has represented the latest development trend of broadband access network in the world, is to realize one of fiber-to-the-home optimal selection.But because EPON adopts shared topological sum downlink data broadcast mode, have safety problem inevitably, particularly in the process of the extensive commercialization of EPON, safety problem is increasingly serious.
In the EPON system, from OLT (optical line terminal, optical line terminal), the data that arrive ONU (Optical Network Unit, optical network unit) transmit and are called as down direction, and down direction has the characteristics of shared medium.For the data of downlink broadcast, whether each ONU only accepts data according to the LLID decision that is assigned to, and such made safe performance is not high.If the assailant is arranged to promiscuous mode to ONU, extract all downlink Ethernet frame, can intercept the Content of Communication that other users receive on the one hand, can intercept and capture descending control frame and OAM (Operation Administration and Maintenance on the other hand, Operations,Administration And Maintenance) frame is authorized and Network Management information thereby obtain.Such network does not have fail safe can be sayed, can't make EPON make operator and user accept as a kind of broadband access method that carries paid service, therefore presses for the fail safe of strengthening the EPON system.
Now generally adopt descending method of encrypting to guarantee the fail safe of EPON system, two kinds of thinkings are specifically arranged: the one, all downlink business are adopted unified cryptographic algorithm, as: the triple stirring cryptographic algorithm that proposes in the EPON of the China Telecom devices interconnect interworking standard is encrypted all downlink business; Another kind is to adopt different cryptographic algorithm according to traffic flow types, as: the professional triple stirring cryptographic algorithm that adopts of voice and video is encrypted, the professional aes algorithm that adopts of data is encrypted.
First kind of technical scheme that all downlink business is adopted unified triple stirring cryptographic algorithm, be with 3byte random number (X1-X8, P1-P16) as stirring sign indicating number, with stir sign indicating number according to the auxiliary agitation parameters K1 of fixing algorithm generation 10bit to K10, these 34 bits have constituted one group of stir-key, stir end utilize P1 to P8 and K1 to K10 totally 18 bits according to the rules the data flow of 8 bit widths is stirred, stir end and utilize 18 identical bits that the data flow through stirring of 8 bit widths is separated stirring separating.
Concerning stirring encryption, its realizes that cost is smaller, and the overhead of encrypting and decrypting is smaller; Shortcoming mainly is that fail safe is not high.Because agitation mechanisms is used the key of three bytes, relevantly the analysis showed that wherein real effectively key length only is 16bits, the key sum is equivalent to 65536, if adopt the method for exhaustion to decode, the needed time of computer of using every microsecond 100 ten thousand times was less than 0.0000001 second.Agitation mechanisms key per second is upgraded once at least, in this second, is that 622Mb/s calculates with speed, in case key is decrypted, nearly all information all is presented in face of the cryptanalysis person.
Second kind is adopted the technical scheme of different cryptographic algorithm based on Business Stream, promptly the professional aes algorithm that adopts of data is encrypted, and adopts the triple stirring cryptographic algorithm to encrypt to voice and video stream.
Adopt aes algorithm to encrypt to the data business and can resist known cryptographic attack method.Difference analysis and linear analysis method that more existing cryptographic attack methods for example proposed in recent years, all be that every conversion of taking turns all has the Feistel structural design at most of cryptographic algorithm, the characteristics of Feistel structure are that partial bytes of state is replaced other positions by former state in the middle of it, obvious this mode can be revealed some key informations to cryptanalysis person, and AES does not have the Feistel structure in every conversion of taking turns, and the above aes algorithm of test shows four-wheel is immune to above-mentioned two kinds of attacks basically.For the voice and video business of delay sensitive, its demand for security generally is not very high, adopts the triple stirring algorithm can satisfy the demand of fail safe and time delay.
The advantage of second kind of scheme is: select suitable cryptographic algorithm according to traffic flow types, can satisfy the demand of multi-service to fail safe and time delay; Its shortcoming is: aes algorithm is the efficient relatively difficulty that realizes in EPON, and the expense of introducing is bigger; This scheme can only be selected cryptographic algorithm for use according to type of service, the user is uncontrollable, like this, certain need not the ciphered data Business Stream or not too important Business Stream all must go to encrypt by aes algorithm, caused resource waste, perhaps some very in a small amount but epochmaking voice and video business can only be adopted the triple stirring algorithm for encryption, this moment, considerably beyond time delay, but this scheme can't satisfy some specific demand of user to the demand of safety; The highly effective and safe how of not being correlated with at present in the EPON system is realized the method for the cipher key interaction of multiple encryption algorithms.
By above two kinds of schemes as can be seen, at present can not satisfy time delay, the fail safe of different business, the requirement of overhead, also can't realize the cipher key interaction method of multiple encryption algorithms at present in the EPON system efficiently and safely the professional cryptographic algorithm that adopts of EPON system descending.
Summary of the invention
The invention provides a kind of method of the EPON of reinforcement security of system, can strengthen the EPON security of system, reduce system burden.
On the one hand, the invention provides a kind of method of the EPON of reinforcement security of system, comprising:
Level of security is set, the cryptographic algorithm that different level of securitys are corresponding different on optical line terminal OLT; OLT after the corresponding cryptographic algorithm encryption of the Frame employing of Business Stream, is sent to optical network unit ONU according to the level of security of Business Stream, after ONU receives the Frame of Business Stream, adopts corresponding decipherment algorithm and key that Frame is decrypted.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, the corresponding different cryptographic algorithm of described different level of securitys specifically comprises:
Level of security 1: corresponding service stream does not need to encrypt;
Level of security 2: corresponding service stream adopts the triple stirring cryptographic algorithm to encrypt;
Level of security 3: corresponding service stream adopts aes algorithm to encrypt.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, heighten or turn down its level of security according to demand, carry out as follows:
Use the 4th, 5,6 three of the 5th byte in the EPON frame preamble sign indicating number in the Business Stream to come the adjustment of identifying user to level of security as sec sign position, it is other that the different assign representations of described sec sign position improve or reduce the default security level of type of service correspondence;
According to default security level and adjust level of security, do not determine the level of security of described Business Stream correspondence.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, also comprise: OLT upgrades the key of cryptographic algorithm respectively according to different cryptographic algorithm from ONU, specifically may further comprise the steps:
A1, OLT send the new key claim frame to ONU;
After A2, ONU receive the new key claim frame, send the new key notification frame, comprise new key and this cipher key number in the described new key notification frame to OLT;
A3, ONU write the value in the current up-to-date cipher key register in time new key register, and the up-to-date key and the cipher key number that send to OLT are write in the up-to-date cipher key register;
After A4, OLT receive the new key notification frame, read association key and cipher key number and write cipher key register.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, OLT from the ONU more new key be periodic.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, described OLT is new key more from the ONU periodically, specifically may further comprise the steps:
A1 ', OLT are provided with first timer and second timer to every kind of cryptographic algorithm;
A2 ', overtime when first timer, OLT sends the new key claim frame to ONU, and starts second timer;
After A3 ', ONU receive the new key claim frame, send the new key notification frame, comprise new key and this cipher key number in the described new key notification frame to OLT;
A4 ', if OLT has received the new key notification frame that ONU sends before second timer is overtime, then read association key and cipher key number writes cipher key register, second timer is resetted more new key success; If OLT still do not receive the new key notification frame that ONU sends after second timer is overtime, then show the key updating failure, OLT resets second timer, sends the new key claim frame to ONU once more, and will upgrade the information of failing and report webmaster.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, described OLT after the corresponding cryptographic algorithm encryption of the Frame employing of Business Stream, is sent to ONU according to the level of security of Business Stream, may further comprise the steps:
B1, OLT determine the level of security of Business Stream, and determine the cryptographic algorithm of use according to level of security;
B2, OLT read current key from the register of respective encrypted algorithm correspondence, the Frame of Business Stream is encrypted, and be sent to ONU.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, after described ONU receives the Frame of Business Stream, adopt corresponding decipherment algorithm and key that Frame is decrypted, may further comprise the steps;
After B3, ONU receive the Business Stream that OLT sends over, determine corresponding decipherment algorithm and cipher key number;
B4, if described cipher key number is identical with cipher key number in the corresponding up-to-date cipher key register of this decipherment algorithm, then be decrypted, otherwise then be decrypted with the Frame of the key in time new key register to Business Stream with the Frame of the key in this up-to-date cipher key register to Business Stream.
Among the embodiment of the method for above-mentioned reinforcement EPON security of system, described step B2 further comprises:
OLT is sent in the Business Stream of ONU, the the 1st, 2,3 of the 5th byte in the use EPON frame preamble sign indicating number as key information sign position, key information sign position is made up of encryption identification and cipher key index, wherein, described encryption identification is represented that this frame is whether encrypted and is with which kind of cryptographic algorithm to encrypt; The cipher key number that described cipher key index indication ONU adopts in decrypting process;
Described step B3 further comprises:
ONU determines according to described encryption identification described Business Stream whether decipher by needs, if Business Stream needs deciphering, then determines corresponding decipherment algorithm;
ONU determines the cipher key number that ONU adopts according to cipher key index in decrypting process.
On the other hand, the present invention also discloses a kind of device of the EPON of reinforcement security of system, comprise that level of security is provided with module, encrypts sending module and deciphering module, wherein, described level of security is provided with module and is used for being provided with level of security on optical line terminal OLT, the cryptographic algorithm that different level of securitys are corresponding different; Described encryption sending module is used for the level of security of OLT according to Business Stream, after the corresponding cryptographic algorithm of employing is encrypted, is sent to ONU; Described deciphering module is used for after optical network unit ONU is received the traffic data frame of the encryption that OLT sends, and adopts corresponding decipherment algorithm and decruption key that the traffic data frame is decrypted.
In a kind of device of strengthening the EPON security of system disclosed by the invention, also comprise key updating module, described key updating module is used for OLT according to different cryptographic algorithm, upgrades the key of described cryptographic algorithm respectively from ONU.
In a kind of device of strengthening the EPON security of system disclosed by the invention, also comprise the level of security adjustment module, be arranged on the OLT, be used for heightening according to demand or turning down the level of security of Business Stream.
Compared with prior art, beneficial effect of the present invention is:
The present invention is provided with different level of securitys, and the cryptographic algorithm that different level of security is corresponding different press the level of security encryption to Business Stream, satisfied better security of users and the time ductility requirement, also can reduce the consumption of system resource; Simultaneously, among the present invention, OLT has strengthened the security performance of system from the key of the last acquisition algorithm of ONU, has guaranteed the synchronism of key; It is periodic that OLT obtains key, is updated periodically password, can reduce the possibility that password is cracked, and has further strengthened the fail safe of system.
Description of drawings
Fig. 1 has exemplarily described OLT of the present invention flow chart of new key more from the ONU;
Fig. 2 has exemplarily described the frame format of EPON OAM;
Fig. 3 has exemplarily described the form of new key claim frame of the present invention;
Fig. 4 has exemplarily described the form of new key notification frame of the present invention;
Fig. 5 has exemplarily described the flow chart that OLT of the present invention periodically updates key;
Fig. 6 has exemplarily described the flow chart of OLT to ONU transmission Business Stream;
Fig. 7 has exemplarily described the process chart behind the Business Stream that ONU receives that OLT sends;
Fig. 8 has exemplarily described structure drawing of device of the present invention.
Embodiment
Contrast accompanying drawing and the present invention is further elaborated below in conjunction with embodiment.
The present invention strengthens the method for EPON security of system, may further comprise the steps:
A, level of security is set on optical line terminal OLT, different level of securitys are adopted different cryptographic algorithm;
B, OLT upgrade the key of described cryptographic algorithm respectively according to different cryptographic algorithm from optical network unit ONU;
C, OLT after the data frame encryption of cryptographic algorithm to Business Stream of employing correspondence, are sent to ONU according to the level of security of Business Stream;
D, ONU adopt corresponding decipherment algorithm and key that Frame is decrypted according to the Frame of receiving.
Embodiment one:
As shown in Figure 1, the method for the reinforcement EPON security of system of one embodiment of the invention, OLT new key more from the ONU may further comprise the steps:
Step 101 is provided with three level of securitys on OLT, the cryptographic algorithm that different level of securitys are corresponding different;
In one embodiment of the present of invention, the cryptographic algorithm of three level of security correspondences of setting is as follows:
Level of security 1: corresponding service stream does not need to encrypt;
Level of security 2: corresponding service stream adopts the triple stirring cryptographic algorithm to encrypt;
Level of security 3: corresponding service stream adopts aes algorithm to encrypt.
The user also can increase or reduce level of security according to demand, also can adopt other cryptographic algorithm.
Different level of securitys is set, different level of securitys are adopted different cryptographic algorithm,, adopt aes algorithm to encrypt, avoid being cracked for the high Business Stream of security requirement; Lower for security requirement, the time ductility demanding Business Stream, adopt the triple stirring cryptographic algorithm or do not encrypt because the resource that the triple stirring cryptographic algorithm consumes is few, ductility in the time of can guaranteeing reduces the consumption of system resource.
Step 102 is provided with cipher key register;
In the OLT side,, be used to deposit the key and the cipher key number of the current use of this cryptographic algorithm for every kind of cryptographic algorithm is provided with 1 cipher key register;
In the ONU side, every kind of decipherment algorithm is provided with two cipher key register, be used to store the key and the cipher key number of nearest twice generation, be called up-to-date cipher key register and time new key register respectively, up-to-date cipher key register is used to store the key and the cipher key number of up-to-date generation, and inferior new key register is used to store key and the cipher key number that produced last time;
On ONU and OLT, every kind of algorithm is provided with the register-stored key respectively, particularly on ONU, two up-to-date and inferior new keys of register holds are set for every kind of algorithm, can in system, realize key synchronization, make the Business Stream both can be encrypted, also can be decrypted, when guaranteeing fail safe, guaranteed the normal operation of system again.
Step 103, OLT sends the new key claim frame to ONU respectively according to different cryptographic algorithm;
Step 104 after ONU receives the new key claim frame, sends a new key notification frame to OLT, comprises new key and this cipher key number in the new key notification frame;
The frame format of OAM as shown in Figure 2 in the EPON system, stipulated the operation of the Ext.Opcode value representative in the frame format among the agreement IEEE802.3ah, wherein, Ext.Opcode=0x09 represents the cipher key interaction relevant with triple stirring, also have some retentions not use, therefore can use some retentions to represent the cipher key interaction message of various cryptographic algorithm correspondences, represent the cipher key interaction relevant with Ext.Opcode=0x19 in the present embodiment with aes algorithm.
By the Payload field in the OAM frame is further arranged to distinguish key request frame and key notification frame.The concrete form of key request is seen Fig. 3, and the concrete form of key notification frame is seen Fig. 4, and each parameter declaration of key request frame and key notification frame is as follows:
Ext.Opcode=0x09 represents the cipher key interaction that the triple stirring algorithm is relevant;
Ext.Opcode=0x19 represents the cipher key interaction that aes algorithm is relevant;
Code=0x00 represents the key request frame;
Code=0x01 represents the key notification frame;
The lowest order of In-use-Key Index byte is used to the cipher key number of indicating OLT using, and other bits of this byte are 0;
The lowest order of New-Key Index byte is used to the cipher key number of indicating ONU to send, and other bits of this byte are 0;
New-Key-Value represents the new key value corresponding with cryptographic algorithm, and wherein, the triple stirring algorithm is 3 bytes, and aes algorithm is 32 bytes.
Based on the various frames that are used for key synchronization of the OAM of EPON system frame format design, extensibility is good.
Step 105, ONU upgrades local key, the value in the up-to-date cipher key register is write in time new key register, and the up-to-date key and the cipher key number that send to OLT are write in the up-to-date cipher key register;
During system initialization, the up-to-date cipher key register of every kind of cryptographic algorithm correspondence is certain identical occurrence with time new key initialization of register among the ONU, can determine this occurrence according to the dependency rule of every kind of cryptographic algorithm; The value that the cipher key register of every kind of cryptographic algorithm correspondence is initialized as in the cipher key register corresponding with the respective algorithms among the ONU among the OLT equates.
Step 106 after OLT receives the new key notification frame, reads association key and cipher key number writes cipher key register.
By the mode of up transmission key, promptly OLT has further guaranteed the fail safe of system from the mode that ONU obtains key.
Embodiment two:
As shown in Figure 5, in the EPON system safety method of one embodiment of the invention, OLT periodically from ONU new key more, may further comprise the steps:
Step 201, OLT is provided with key_update_timer (first timer) and two timers of Request_Timer (second timer) to every kind of cryptographic algorithm; Wherein, the key_update_timer timer is used for the control key update cycle, and when this timer expiry, OLT starts key updating process; The Request_Timer timer is used for starting key updating request next time under the situation that can't obtain key updating, to increase the reliability of key updating;
Step 202, when the key_update_timer timer expiry, OLT sends the new key claim frame to ONU, and starts the Request_Timer timer;
Step 203, when ONU receives the new key claim frame that OLT sends, read the lowest order of the In-use-Key Index byte in the new key claim frame, cipher key number is added the cipher key number of 1 (2 system) as the new key that will send to OLT, simultaneously produce a new key, send to OLT in the mode of new key notification frame according to relevant algorithm;
Step 204, ONU upgrades local key, the value in the up-to-date cipher key register is write in time new key register, and the up-to-date key and the cipher key number that send to OLT are write in the up-to-date cipher key register;
Step 205 if OLT received the new key notification frame that ONU sends before the Request_Timer timer expiry, then reads association key and cipher key number writes cipher key register, and Request_Timer is resetted;
Step 206, if OLT does not still receive the new key notification frame that ONU sends behind the Request_Timer timer expiry, then show the key updating failure, OLT resets Request_Timer, send the new key claim frame to ONU once more, and will upgrade the information of failing and report webmaster;
Step 207 is if OLT upgrades the key failure continuously for several times, then to network management alarm.
The user can be provided with as required OLT upgrade continuously the failure how many times after to network management alarm, the time-out time of each timer also can be set as required, flexible.
Be updated periodically key, can reduce the possibility that key is cracked, the fail safe of enhanced system.
Embodiment three:
As shown in Figure 6, in the systematic system of the reinforcement EPON of one embodiment of the invention, OLT sends secure service stream to ONU and may further comprise the steps:
Step 301 is regulated the service security grade according to type of service and demand for security;
A field that can allow the user regulate is set allows the user regulate the level of security of Business Stream, in one embodiment of the present of invention, use the 4th, 5,6 three adjustment that comes identifying user to level of security of the 5th byte in the EPON frame preamble sign indicating number in the Business Stream, be called sec sign position.
The implication that the different value of Sec sign position is represented is as follows:
000: the expression user does not have specific (special) requirements to the level of security of Business Stream, adopts default security level other;
001: the expression user need heighten other 1 grade of the default security level of type of service correspondence;
010: the expression user need heighten other 2 grades of the default security level of type of service correspondence;
100: the expression user need reduce other 1 grade of the default security level of type of service correspondence;
110: the expression user need reduce other 2 grades of the default security level of type of service correspondence.
The user can regulate the level of security of Business Stream according to demand, can satisfy the diversified demand of user.
Step 302, OLT is split into two big classes with Business Stream, and video voice flow and data traffic flow determine that the default security level of this Business Stream is other, and video voice flow default security level is other 2, data traffic flow default security level other 3.
Step 303, OLT according to sec value and default security level Que Ding Business Stream level of security, and determine the cryptographic algorithm used according to level of security;
Certain video voice flow for example, default security level is other 2, and the user heightens other 1 grade of the default security level of this business correspondence, and then this video voice flow is a level of security 3, adopts aes algorithm to encrypt.
Step 304, OLT reads the input of current key as algorithm from the register of associated encryption algorithm correspondence, Business Stream is encrypted, and with the cipher key index Key_Index position that cipher key number is write the Enc field in the EPON frame, sent to ONU;
In one embodiment of the present of invention, the 1st, 2,3 of the 5th byte in the use EPON frame preamble sign indicating number is referred to as Enc sign position as key information sign position, and Enc identifies the position and is made up of Flag position and Key_Index position, and its implication is as follows:
Flag position (the 1st, 2): encryption identification, represent that this frame is whether encrypted and be to encrypt with which kind of cryptographic algorithm:
00: expressly, unencryption;
01: the triple stirring algorithm for encryption;
The 10:AES algorithm for encryption.
Key_Index position (the 3rd): cipher key index, the cipher key number that indication ONU adopts in decrypting process.
Embodiment four:
As shown in Figure 7, in the systematic system of the reinforcement EPON of one embodiment of the invention, ONU receives that the decrypting process behind the Business Stream that OLT sends may further comprise the steps:
Step 401, ONU receives the Business Stream that OLT sends over;
Step 402, ONU judges whether the needs deciphering according to the Flag position of Enc in the Frame, if need deciphering, then determines to enter corresponding decipherment algorithm step 403, otherwise enter step 406;
Step 403, ONU determines the cipher key number that ONU adopts according to the cipher key index Key_Index of the Enc field in each frame in decrypting process, judge whether cipher key number equals the cipher key number in the up-to-date cipher key register; If then enter step 404, otherwise enter step 405;
Step 404, with the key of storing in the up-to-date cipher key register to decrypt ciphertext; Enter step 406;
Step 405, the key in the usefulness time new key register is to decrypt ciphertext; Enter step 406;
Step 406 is sent to the destination with the data after the deciphering.
Embodiment five:
As shown in Figure 8, a kind of device of strengthening the EPON security of system of the present invention, comprise that level of security is provided with module 701, encrypts sending module 702 and deciphering module 703, wherein, described level of security is provided with module 701 and is used for being provided with level of security on optical line terminal OLT, the cryptographic algorithm that different level of securitys are corresponding different; Described encryption sending module 702 is used for the level of security of OLT according to Business Stream, after the corresponding cryptographic algorithm of employing is encrypted, is sent to ONU; Described deciphering module 703 is used for after optical network unit ONU is received the traffic data frame of the encryption that OLT sends, and adopts corresponding decipherment algorithm and decruption key that the traffic data frame is decrypted.
In the device of the reinforcement EPON security of system of one embodiment of the invention, also comprise key updating module 704, described key updating module 704 is used for OLT according to different cryptographic algorithm, upgrades the key of described cryptographic algorithm respectively from ONU.
In the device of the reinforcement EPON security of system of one embodiment of the invention, also comprise the level of security adjustment module, be arranged on the OLT, be used for heightening according to demand or turning down the level of security of Business Stream.
The present invention is provided with different level of securitys, the cryptographic algorithm that different level of securitys is corresponding different, the user can adjust the level of security of Business Stream, according to adjusting the level of security that level of security and default security level Que Ding Business Streams, and the corresponding cryptographic algorithm of employing, satisfied better security of users and the time ductility requirement, also can reduce the consumption of system resource; Simultaneously, among the present invention, OLT has strengthened the security performance of system from the key of the last acquisition algorithm of ONU, has guaranteed the synchronism of key; It is periodic that OLT obtains key, is updated periodically password, can reduce the possibility that password is cracked, and has further strengthened the fail safe of system.
Above content be in conjunction with concrete preferred implementation to further describing that the present invention did, but this example of just lifting for ease of understanding should not think that concrete enforcement of the present invention is confined to these explanations.For the general technical staff of the technical field of the invention, without departing from the inventive concept of the premise, can make various possible being equal to and change or replacement, these changes or replacement all should belong to protection scope of the present invention.

Claims (12)

1. a method of strengthening the EPON security of system is characterized in that, comprising:
Level of security is set, the cryptographic algorithm that different level of securitys are corresponding different on optical line terminal OLT; OLT after the corresponding cryptographic algorithm encryption of the Frame employing of Business Stream, is sent to optical network unit ONU according to the level of security of Business Stream, after ONU receives the Frame of Business Stream, adopts corresponding decipherment algorithm and key that Frame is decrypted.
2. the method for reinforcement EPON security of system as claimed in claim 1 is characterized in that, the corresponding different cryptographic algorithm of described different level of securitys specifically comprises:
Level of security 1: corresponding service stream does not need to encrypt;
Level of security 2: corresponding service stream adopts the triple stirring cryptographic algorithm to encrypt;
Level of security 3: corresponding service stream adopts aes algorithm to encrypt.
3. the method for reinforcement EPON security of system as claimed in claim 2 is characterized in that, heightens or turn down its level of security according to demand, carries out as follows:
Use the 4th, 5,6 three of the 5th byte in the EPON frame preamble sign indicating number in the Business Stream to come the adjustment of identifying user to level of security as sec sign position, it is other that the different assign representations of described sec sign position improve or reduce the default security level of type of service correspondence;
According to default security level and adjust level of security, do not determine the level of security of described Business Stream correspondence.
4. as the method for each described reinforcement EPON security of system of claim 1 to 3, it is characterized in that, also comprise: OLT upgrades the key of cryptographic algorithm respectively according to different cryptographic algorithm from ONU, specifically may further comprise the steps:
A1, OLT send the new key claim frame to ONU;
After A2, ONU receive the new key claim frame, send the new key notification frame, comprise new key and this cipher key number in the described new key notification frame to OLT;
A3, ONU write the value in the current up-to-date cipher key register in time new key register, and the up-to-date key and the cipher key number that send to OLT are write in the up-to-date cipher key register;
After A4, OLT receive the new key notification frame, read association key and cipher key number and write cipher key register.
5. the method for reinforcement as claimed in claim 4 EPON security of system is characterized in that, OLT from the ONU more new key be periodic.
6. the method for reinforcement as claimed in claim 5 EPON security of system is characterized in that, described OLT is new key more from the ONU periodically, specifically may further comprise the steps:
A1 ', OLT are provided with first timer and second timer to every kind of cryptographic algorithm;
A2 ', overtime when first timer, OLT sends the new key claim frame to ONU, and starts second timer;
After A3 ', ONU receive the new key claim frame, send the new key notification frame, comprise new key and this cipher key number in the described new key notification frame to OLT;
A4 ', if OLT has received the new key notification frame that ONU sends before second timer is overtime, then read association key and cipher key number writes cipher key register, second timer is resetted more new key success; If OLT still do not receive the new key notification frame that ONU sends after second timer is overtime, then show the key updating failure, OLT resets second timer, sends the new key claim frame to ONU once more, and will upgrade the information of failing and report webmaster.
7. the method for reinforcement EPON security of system as claimed in claim 1 is characterized in that, described OLT after the corresponding cryptographic algorithm encryption of the Frame employing of Business Stream, is sent to ONU according to the level of security of Business Stream, may further comprise the steps:
B1, OLT determine the level of security of Business Stream, and determine the cryptographic algorithm of use according to level of security;
B2, OLT read current key from the register of respective encrypted algorithm correspondence, the Frame of Business Stream is encrypted, and be sent to ONU.
8. the method for reinforcement EPON security of system as claimed in claim 7 is characterized in that, after described ONU receives the Frame of Business Stream, adopts corresponding decipherment algorithm and key that Frame is decrypted, and may further comprise the steps;
After B3, ONU receive the Business Stream that OLT sends over, determine corresponding decipherment algorithm and cipher key number;
B4, if described cipher key number is identical with cipher key number in the corresponding up-to-date cipher key register of this decipherment algorithm, then be decrypted, otherwise then be decrypted with the Frame of the key in time new key register to Business Stream with the Frame of the key in this up-to-date cipher key register to Business Stream.
9. the method for reinforcement EPON security of system as claimed in claim 8 is characterized in that described step B2 further comprises:
OLT is sent in the Business Stream of ONU, the the 1st, 2,3 of the 5th byte in the use EPON frame preamble sign indicating number as key information sign position, key information sign position is made up of encryption identification and cipher key index, wherein, described encryption identification is represented that this frame is whether encrypted and is with which kind of cryptographic algorithm to encrypt; The cipher key number that described cipher key index indication ONU adopts in decrypting process;
Described step B3 further comprises:
ONU determines according to described encryption identification described Business Stream whether decipher by needs, if Business Stream needs deciphering, then determines corresponding decipherment algorithm;
ONU determines the cipher key number that ONU adopts according to cipher key index in decrypting process.
10. device of strengthening the EPON security of system, it is characterized in that, comprise that level of security is provided with module, encrypts sending module and deciphering module, wherein, described level of security is provided with module and is used for being provided with level of security on optical line terminal OLT, the cryptographic algorithm that different level of securitys are corresponding different; Described encryption sending module is used for the level of security of OLT according to Business Stream, after the corresponding cryptographic algorithm of employing is encrypted, is sent to ONU; Described deciphering module is used for after optical network unit ONU is received the traffic data frame of the encryption that OLT sends, and adopts corresponding decipherment algorithm and decruption key that the traffic data frame is decrypted.
11. the device of reinforcement EPON security of system as claimed in claim 10 is characterized in that also comprise key updating module, described key updating module is used for OLT according to different cryptographic algorithm, upgrades the key of described cryptographic algorithm respectively from ONU.
12. the device as claim 10 or 11 described reinforcement EPON securities of system is characterized in that, also comprises the level of security adjustment module, is arranged on the OLT, is used for heightening according to demand or turning down the level of security of Business Stream.
CN2009101891360A 2009-12-16 2009-12-16 Method and device for improving safety of EPON system Pending CN102104478A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN2009101891360A CN102104478A (en) 2009-12-16 2009-12-16 Method and device for improving safety of EPON system

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN2009101891360A CN102104478A (en) 2009-12-16 2009-12-16 Method and device for improving safety of EPON system

Publications (1)

Publication Number Publication Date
CN102104478A true CN102104478A (en) 2011-06-22

Family

ID=44157028

Family Applications (1)

Application Number Title Priority Date Filing Date
CN2009101891360A Pending CN102104478A (en) 2009-12-16 2009-12-16 Method and device for improving safety of EPON system

Country Status (1)

Country Link
CN (1) CN102104478A (en)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102264013A (en) * 2011-09-07 2011-11-30 殷爱菡 EPON encryption method based on time tag
CN102612028A (en) * 2012-03-28 2012-07-25 电信科学技术研究院 Method, system and device for configuration transmission and data transmission
CN102647420A (en) * 2012-03-31 2012-08-22 苏州阔地网络科技有限公司 Control method and system for preventing illegal connection
CN102958050A (en) * 2011-08-12 2013-03-06 英特尔移动通信有限责任公司 Data transmitting device and control method thereof, data receiving device and control method thereof
CN103138924A (en) * 2011-11-24 2013-06-05 中兴通讯股份有限公司 Method and device for deciphering encryption data frames in Ethernet Passive Optical Network (EPON) system
CN105391691A (en) * 2015-10-19 2016-03-09 浪潮(北京)电子信息产业有限公司 Communication control method, device and system based on cloud computing
CN107040376A (en) * 2017-05-18 2017-08-11 烽火通信科技股份有限公司 A kind of method and system of quantum secure optic communication
CN107046495A (en) * 2016-02-06 2017-08-15 阿里巴巴集团控股有限公司 Methods, devices and systems for building VPN
CN109286460A (en) * 2017-07-21 2019-01-29 北京智云芯科技有限公司 A kind of method for synchronizing time and system based on wireless communication
CN110290151A (en) * 2019-07-16 2019-09-27 迈普通信技术股份有限公司 File transmitting method, device and read/write memory medium
CN111130763A (en) * 2019-11-20 2020-05-08 复旦大学 Key backup and recovery method based on integrated encryption technology
CN113114621A (en) * 2021-03-04 2021-07-13 海信集团控股股份有限公司 Communication method for bus dispatching system and bus dispatching system
CN114025347A (en) * 2021-11-03 2022-02-08 苏州欧清电子有限公司 Encryption method, device, equipment and storage medium for Bluetooth equipment
CN115086062A (en) * 2022-06-30 2022-09-20 三一电动车科技有限公司 Remote safety control method, system, device and vehicle
CN117579182A (en) * 2024-01-17 2024-02-20 中兴通讯股份有限公司 Service encryption method of passive optical network system, electronic equipment and storage medium

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US9185080B2 (en) 2011-08-12 2015-11-10 Intel Deutschland Gmbh Data transmitting devices, data receiving devices, methods for controlling a data transmitting device, and methods for controlling a data receiving device
CN102958050A (en) * 2011-08-12 2013-03-06 英特尔移动通信有限责任公司 Data transmitting device and control method thereof, data receiving device and control method thereof
CN102264013A (en) * 2011-09-07 2011-11-30 殷爱菡 EPON encryption method based on time tag
CN102264013B (en) * 2011-09-07 2013-07-17 殷爱菡 EPON encryption method based on time tag
CN103138924B (en) * 2011-11-24 2017-12-08 中兴通讯股份有限公司 Scrambled data frame decryption method and device in a kind of EPON system
CN103138924A (en) * 2011-11-24 2013-06-05 中兴通讯股份有限公司 Method and device for deciphering encryption data frames in Ethernet Passive Optical Network (EPON) system
WO2013143387A1 (en) * 2012-03-28 2013-10-03 电信科学技术研究院 Method, system, and device for configuration transmission and data transmission
CN102612028A (en) * 2012-03-28 2012-07-25 电信科学技术研究院 Method, system and device for configuration transmission and data transmission
CN102612028B (en) * 2012-03-28 2015-04-15 电信科学技术研究院 Method, system and device for configuration transmission and data transmission
CN102647420A (en) * 2012-03-31 2012-08-22 苏州阔地网络科技有限公司 Control method and system for preventing illegal connection
CN105391691A (en) * 2015-10-19 2016-03-09 浪潮(北京)电子信息产业有限公司 Communication control method, device and system based on cloud computing
CN107046495B (en) * 2016-02-06 2020-08-18 阿里巴巴集团控股有限公司 Method, device and system for constructing virtual private network
CN107046495A (en) * 2016-02-06 2017-08-15 阿里巴巴集团控股有限公司 Methods, devices and systems for building VPN
CN107040376A (en) * 2017-05-18 2017-08-11 烽火通信科技股份有限公司 A kind of method and system of quantum secure optic communication
CN109286460A (en) * 2017-07-21 2019-01-29 北京智云芯科技有限公司 A kind of method for synchronizing time and system based on wireless communication
CN110290151B (en) * 2019-07-16 2021-10-08 迈普通信技术股份有限公司 Message sending method and device and readable storage medium
CN110290151A (en) * 2019-07-16 2019-09-27 迈普通信技术股份有限公司 File transmitting method, device and read/write memory medium
CN111130763A (en) * 2019-11-20 2020-05-08 复旦大学 Key backup and recovery method based on integrated encryption technology
CN111130763B (en) * 2019-11-20 2021-06-22 复旦大学 Key backup and recovery method based on integrated encryption technology
CN113114621A (en) * 2021-03-04 2021-07-13 海信集团控股股份有限公司 Communication method for bus dispatching system and bus dispatching system
CN114025347A (en) * 2021-11-03 2022-02-08 苏州欧清电子有限公司 Encryption method, device, equipment and storage medium for Bluetooth equipment
CN114025347B (en) * 2021-11-03 2023-12-01 苏州欧清电子有限公司 Encryption method, device and equipment of Bluetooth equipment and storage medium
CN115086062A (en) * 2022-06-30 2022-09-20 三一电动车科技有限公司 Remote safety control method, system, device and vehicle
CN115086062B (en) * 2022-06-30 2023-08-11 三一电动车科技有限公司 Remote safety control method, system, device and vehicle
CN117579182A (en) * 2024-01-17 2024-02-20 中兴通讯股份有限公司 Service encryption method of passive optical network system, electronic equipment and storage medium
CN117579182B (en) * 2024-01-17 2024-05-03 中兴通讯股份有限公司 Service encryption method of passive optical network system, electronic equipment and storage medium

Similar Documents

Publication Publication Date Title
CN102104478A (en) Method and device for improving safety of EPON system
US7310424B2 (en) Encryption key distribution and network registration system, apparatus and method
EP2351311B1 (en) Method for increasing security in a passive optical network
CN102037663B (en) For the method and apparatus of data privacy in passive optical networks
US9032209B2 (en) Optical network terminal management control interface-based passive optical network security enhancement
KR100547829B1 (en) Gigabit Ethernet-based passive optical subscriber network that can reliably transmit data through encryption key exchange and data encryption method using the same
KR100933167B1 (en) Transmission Method for Authentication and Privacy Guarantee in Tree-structured Networks
KR100594153B1 (en) Formation of Logical Link and Its Secure Communication Method in Network of Point-to-Manage Topology
US20100074628A1 (en) Optical communication system, station-side apparatus, and subscriber-side apparatus
WO2011017986A1 (en) Transmission method and assembling method for physical layer operations, administration and maintenance (ploam) message in a passive optical network
WO2005112336A1 (en) Pon system having encryption function and encryption method of the pon system
EP1830517B1 (en) A method, communication system, central and peripheral communication unit for secure packet oriented transfer of information
JP4739419B2 (en) Method and apparatus for controlling security channel in Ethernet Pong
CN102264013B (en) EPON encryption method based on time tag
CN101282177B (en) Data transmission method and terminal
KR100594023B1 (en) Method of encryption for gigabit ethernet passive optical network
CN101499898A (en) Method and apparatus for cipher key interaction
CN104579645B (en) Key updating method based on AES encryption system
CN114866778B (en) Monitoring video safety system
EP4262093A1 (en) State notification method, optical module, network device, and network system
US20040136372A1 (en) Protecting data transmissions in a point-to-multipoint network
KR100281402B1 (en) Asynchronous Transmission Mode-Downlink Message Allocation Method in Optical Fiber Terminator of Phone System
JP5368519B2 (en) Optical line termination device and key switching method
JP2004260556A (en) Station-side apparatus, subscriber-side apparatus, communication system, and encryption key notifying method
JP2014036386A (en) Communication system, station-side control unit, terminal-side control unit, and communication control method

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20110622