CN106470198B

CN106470198B - Identity verification method, device and system of optical transport network

Info

Publication number: CN106470198B
Application number: CN201510516255.8A
Authority: CN
Inventors: 郑靖; 王春光; 杜凯
Original assignee: ZTE Corp
Current assignee: ZTE Corp
Priority date: 2015-08-20
Filing date: 2015-08-20
Publication date: 2021-02-23
Anticipated expiration: 2035-08-20
Also published as: WO2017028807A1; CN106470198A

Abstract

The invention discloses an identity verification method of an optical transport network, which comprises the following steps: when the identity authentication is started, acquiring a random number to construct an identity authentication request message, and sending the identity authentication request message to a slave end; receiving the identity authentication response message fed back by the slave end; and analyzing the identity authentication response message to obtain first slave end identity information, and judging whether identity authentication is successful according to the first slave end identity information and the stored second slave end identity information. The invention also discloses an authentication device and system of the optical transport network. The invention improves the safety and reliability of the identity authentication in the optical transport network.

Description

Identity verification method, device and system of optical transport network

Technical Field

The present invention relates to the field of communications technologies, and in particular, to an identity authentication method, apparatus, and system for an optical transport network.

Background

With the gradual fermentation of security incidents, the need for secure communication of services has risen significantly for the security of core services in large business enterprises. A set of safe and reliable identity verification mechanism is provided in an encryption transmission system, which is the guarantee of OTN (Optical Transport Network) encryption, and because the realization of identity verification in an electric monitoring system of the OTN has no related international standard, different realization schemes are provided for identity verification for different OTN equipment manufacturers.

At present, in an end-to-end OTN encrypted transmission system, authentication is implemented by means of a user name and a password. This solution has the following problems: first, the user name and password are easily stolen by others, and the security strength is not sufficient. Second, if security needs to be increased in the conventional authentication mechanism, a matching infrastructure, such as a public key infrastructure, needs to be added, which will increase implementation cost and reduce reliability.

Disclosure of Invention

The invention mainly aims to provide an identity authentication method, device and system of an optical transport network, aiming at improving the safety and reliability of identity authentication.

In order to achieve the above object, the present invention provides an authentication method for an optical transport network, comprising:

when the identity authentication is started, acquiring a random number to construct an identity authentication request message, and sending the identity authentication request message to a slave end;

receiving the identity authentication response message fed back by the slave end;

and analyzing the identity authentication response message to obtain first slave end identity information, and judging whether identity authentication is successful according to the first slave end identity information and the stored second slave end identity information.

Preferably, the obtaining the random number to construct the authentication request message includes:

acquiring local timestamp information;

and generating a random number by utilizing a Hash algorithm and a random number algorithm according to the local timestamp information, and constructing an identity verification request message according to the random number.

Preferably, the obtaining a random number to construct an authentication request message when the authentication is started, and sending the authentication request message to the slave terminal includes:

and when the identity authentication response message fed back by the slave end aiming at the identity authentication request message is not received within the first preset time, retransmitting the identity authentication request message to the slave end, and retransmitting the identity authentication request message after the second preset time or existence light input after the failure times of the identity authentication request reach the preset times.

Preferably, before performing all the steps, the method further comprises:

the method comprises the steps that a dual-symmetric service single board determines a master end and a slave end according to an auto-negotiation algorithm or a received network management protocol configuration instruction, the master end and the slave end respectively receive authentication link configuration information issued by a network manager, and the authentication link configuration information comprises password information of the master end, password information of the slave end, port information of the master end and port information of the slave end.

Preferably, before analyzing the identity authentication response message to obtain first slave end identity information, and determining whether identity authentication is successful according to the first slave end identity information and the stored second slave end identity information, the method includes:

and generating second slave identity information according to the password information of the slave, the port information of the slave and the random number for storage.

Preferably, a message is received or sent between the master end and the slave end through a preset overhead byte.

In addition, to achieve the above object, the present invention further provides an authentication apparatus for an optical transport network, including:

the system comprises an acquisition module, a slave end and a random number generation module, wherein the acquisition module is used for acquiring a random number to construct an identity authentication request message and sending the identity authentication request message to the slave end when identity authentication is started;

the receiving module is used for receiving the identity authentication response message fed back by the slave end;

and the verification module is used for analyzing the identity authentication response message to acquire first slave end identity information and judging whether identity verification is successful according to the first slave end identity information and the stored second slave end identity information.

Preferably, the obtaining module includes:

an acquisition unit configured to acquire local timestamp information;

and the generating unit is used for generating a random number by utilizing a Hash algorithm and a random number algorithm according to the local timestamp information and constructing an identity authentication request message according to the random number.

Preferably, the authentication apparatus of the optical transport network further includes:

and the processing module is used for retransmitting the identity verification request message to the slave end when the identity verification response message fed back by the slave end aiming at the identity verification request message is not received within the first preset time, and retransmitting the identity verification request message after the second preset time or light input exists after the failure times of the identity verification request reach the preset times.

the determining module is used for determining a master end and a slave end by the two symmetric service single boards according to an auto-negotiation algorithm or a received network management protocol configuration instruction, wherein the master end and the slave end respectively receive authentication link configuration information issued by a network manager, and the authentication link configuration information comprises password information of the master end, password information of the slave end, port information of the master end and port information of the slave end.

and the storage module is used for generating second slave identity information according to the password information of the slave, the port information of the slave and the random number for storage.

In addition, to achieve the above object, the present invention further provides an authentication system for an optical transport network, the authentication system for an optical transport network comprising a master and a slave, wherein,

the master end is used for acquiring the random number to construct an identity authentication request message when the identity authentication is started, and sending the identity authentication request message to the slave end;

the slave end is used for receiving the identity verification request message, constructing an identity authentication response message and sending the identity authentication response message to the master end;

and the master end is used for analyzing the identity authentication response message to acquire the identity information of the first slave end and judging whether the identity authentication is successful according to the identity information of the first slave end and the stored identity information of the second slave end.

Preferably, the master is further configured to obtain local timestamp information;

Preferably, the master is further configured to, when an authentication response message fed back by the slave to the authentication request message is not received within a first preset time, retransmit the authentication request message to the slave, and retransmit the authentication request message after a second preset time or after there is light input after the number of times of failure of the authentication request reaches a preset number of times.

Preferably, the identity verification system of the optical transport network further includes:

the two symmetric service single boards determine a master end and a slave end according to an auto-negotiation algorithm or a received network management protocol configuration instruction;

the master end is also used for receiving authentication link configuration information issued by the network manager, wherein the authentication link configuration information comprises password information of the master end, password information of the slave end, port information of the master end and port information of the slave end;

the slave end is further used for receiving authentication link configuration information issued by the network manager, wherein the authentication link configuration information comprises password information of the master end, password information of the slave end, port information of the master end and port information of the slave end.

Preferably, the master is further configured to generate second slave identity information according to the password information of the slave, the port information of the slave, and the random number, and store the second slave identity information.

After the master end and the slave end are determined for the two symmetrical service single boards, the master end acquires the random number to construct the identity verification request message and then sends the identity verification request message to the slave end when the master end starts the identity verification. After receiving the identity verification request message, the slave end constructs an identity authentication response message and sends the identity authentication response message to the master end. And after receiving the identity authentication response message, the master terminal analyzes the identity authentication response message to acquire the identity information of the first slave terminal, compares the identity information of the first slave terminal with the stored identity information of the second slave terminal and judges whether the identity authentication is successful. The method and the device realize mutual sending or receiving of messages according to the master end and the slave end arranged in the optical transport network, verify the identity information generated by the random number, and improve the safety and reliability of identity verification in the optical transport network.

Drawings

Fig. 1 is a flowchart illustrating an authentication method of an optical transport network according to a first embodiment of the present invention;

fig. 2 is a flowchart illustrating an authentication method of an optical transport network according to a second embodiment of the present invention;

fig. 3 is a flowchart illustrating an authentication method of an optical transport network according to a third embodiment of the present invention;

fig. 4 is a flowchart illustrating an authentication method of an optical transport network according to a fourth embodiment of the present invention;

fig. 5 is a functional block diagram of an authentication apparatus of an optical transport network according to a first embodiment of the present invention;

fig. 6 is a functional block diagram of an authentication apparatus of an optical transport network according to a second embodiment of the present invention;

fig. 7 is a functional block diagram of an authentication apparatus of an optical transport network according to a third embodiment of the present invention;

fig. 8 is a functional block diagram of an authentication apparatus of an optical transport network according to a fourth embodiment of the present invention;

fig. 9 is a functional block diagram of an authentication system of an otn according to an embodiment of the present invention.

The implementation, functional features and advantages of the objects of the present invention will be further explained with reference to the accompanying drawings.

Detailed Description

It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.

Fig. 1 shows a first embodiment of the authentication method of the optical transport network according to the present invention. The identity authentication method of the optical transport network of the embodiment includes:

step S10, when starting the identity authentication, obtaining the random number to construct the identity authentication request message, and sending the identity authentication request message to the slave end;

in this embodiment, when the master starts the authentication of the identity information, the master state machine enters an authentication request state, and the master state machine is mainly used to control the timing sequence of the master. The master generates a random number through a hash algorithm and a random number algorithm to construct an authentication request message, and particularly,

acquiring local timestamp information;

In this embodiment, the master reads local timestamp information generated by a chip corresponding to the master service board, and introduces the local timestamp information into a function consisting of a hash algorithm and a random number algorithm to generate a random number, so as to construct identity information according to the random number. The hash algorithm can be flexibly set according to specific situations, preferably, the obtained 10-byte local timestamp information can be used for generating 32-byte binary numbers by using the hash 256, and then the 32-byte binary numbers are used for generating 32-byte binary random numbers by using the random number algorithm. It should be noted that the local timestamp information is incremented to ensure that the timestamp information taken each time is different. The random number is calculated by adopting a Hash algorithm and a random number algorithm, and the identity information is constructed, so that the method has higher safety.

In this embodiment, the message is received or sent between the master and the slave through the preset overhead byte, and the preset overhead byte can be dynamically configured according to actual needs, that is, the dynamic configuration of the preset overhead byte can be realized according to different interface addresses configured. The dynamic configuration of the overhead byte makes it difficult for a pirate to track the overhead byte for actual transmission, further increasing the security of authentication. Specifically, the master end sends an identity authentication request message to the slave end through a first preset overhead byte, the master end state machine enters a sending state, and starts a counter built in the master end to start timing so as to detect and acquire time for the slave end to feed back an identity authentication response message according to the identity authentication request message. The host sends information by using 4 rows and 13 columns of overhead bytes of the scheduled ODUk by default, that is, the first preset overhead byte may be set to 4 rows and 13 columns. It should be noted that the first preset overhead byte may be dynamically configured according to actual needs.

Step S20, receiving the identity authentication response message fed back by the slave end;

since the slave is passive, the slave needs to detect whether a message is sent or not so as to receive the message in time. After the master end completes the sending of the authentication request message, the slave end inquires and detects the message sent by the master end in a predefined period, wherein the predefined period can be set to be 1 second, and can also be set according to actual needs. When the state identification signal is valid, that is, when the signal trip is at a high level, it indicates that the master end has a message to send, and the slave end receives an authentication request message through a second preset overhead byte. On the contrary, when the state identification signal is invalid, i.e. when the signal trip is 0, it indicates that the master has no message to send. The slave receives information by default using 4 rows and 13 columns of the scheduled ODUk overhead bytes, i.e. the second preset overhead bytes may be set to 4 rows and 13 columns. It should be noted that the second preset overhead byte may be dynamically configured according to actual needs.

Further, the slave side verifies the received identity verification request message according to a verification mechanism, specifically, the slave side extracts a first byte in the identity verification request message to determine the type of the identity verification request message, extracts a second byte to obtain the length, then compares the length with the length returned by the master control chip of the slave side, and if the length is consistent with the length returned by the master control chip of the slave side, the identity verification request message is valid; if the two information are not consistent, the two information are invalid, and the slave end feeds back failure state information to the master end, so that the master end retransmits the identity authentication request message to the slave end after receiving the failure state information fed back by the slave end.

And the slave end acquires the content of the authentication request message after verifying that the authentication request message is valid, and obtains a random number by analyzing the authentication request message, wherein the random number is the authentication request message constructed and obtained by the master end according to the random number. And then the slave terminal generates first slave terminal identity information through a hash algorithm according to the password information of the slave terminal, the port information of the slave terminal and the random number obtained through analysis, wherein the first slave terminal identity information is binary number.

And the slave end constructs an identity authentication response message according to the identity information of the first slave end, sends the identity authentication response message to the master end, and the master end receives the identity authentication response message. Specifically, after the slave generates the first slave identity information, the identity authentication response message is constructed by the first slave identity information, for example, a 4-byte header may be combined with the 32-byte first slave identity information to obtain the identity authentication response message, and the first byte of the 4-byte header may indicate that the message type of the identity authentication response message is the identity authentication response message. Then, the slave sends the identity authentication response message to the master through a third preset overhead byte, at this time, the slave uses 4 rows and 14 columns of the scheduled ODUk overhead byte by default to send information, that is, the third preset overhead byte may be set to 4 rows and 14 columns. It should be noted that the third predetermined overhead byte can be dynamically configured. And after the slave end sends the identity authentication response message, the slave end state machine is modified into a sending state.

Step S30, parsing the identity authentication response message to obtain first slave identity information, and determining whether identity authentication is successful according to the first slave identity information and the stored second slave identity information.

The master terminal inquires and detects the message sent by the slave terminal in a preset period, wherein the preset period can be set to be 1 second, and can also be set according to actual needs. When the state identification signal is valid, that is, when the signal trip is at a high level, it indicates that the slave end has a message feedback, and the master end receives an identity authentication response message through a fourth preset overhead byte. Conversely, when the state identification signal is invalid, i.e. when the signal trip is 0, it indicates that the slave has no feedback message. The host receives information by default using 4 rows and 14 columns of overhead bytes of the scheduled ODUk, that is, the fourth preset overhead byte may be set to 4 rows and 14 columns. It should be noted that the fourth preset overhead byte may be dynamically configured according to actual needs. And if the master end does not receive the identity authentication response message after the counter built in the master end exceeds the preset time, the master end retransmits the identity authentication request message to the slave end.

Further, the master end verifies the received identity authentication response message according to a verification mechanism, specifically, the master end extracts a first byte in the identity authentication response message to determine the type of the identity authentication response message, extracts a second byte to obtain the length, compares the length with the length returned by a master control chip of the master end, if the length is consistent with the length returned by the master control chip of the master end, the identity authentication request message is valid, and the master end state machine enters a response state; if not, it is invalid.

After verifying that the identity authentication response message is valid, the master end acquires the content of the identity authentication response message, and extracts first slave end identity information by analyzing the identity authentication response message, wherein the first slave end identity information is the first slave end identity information generated by the slave end according to the password information of the slave end, the port information of the slave end and the random number. And then the master end compares the analyzed first slave end identity information with second slave end identity information stored locally, namely, whether the second slave end identity information stored locally is consistent with the binary number of the first slave end identity information obtained by analyzing the identity authentication response message or not is judged. If the authentication request state is inconsistent with the authentication request state, the state machine at the main end continuously maintains the authentication request state, and if the authentication is unsuccessful, the main end restarts a new round of authentication process. If the state machine is consistent with the state machine, the state machine at the main end enters a verification success state, the authentication is successful, namely the authentication process is completed, and then the state machine at the main end enters other modules such as a secret key transmission module and a lossless switching module in the OTN encryption transmission system. Meanwhile, the master end and the slave end detect the alarm state of the OTN encryption transmission system in real time: and if the encrypted path is detected to be normal from failure, restarting the authentication process, so that the authentication is carried out again after the link is recovered to be normal, and the reliability of the authentication is improved. If the encrypted path is detected to be invalid from normal, the link is disconnected, and the authentication process needs to be restarted.

After the master end and the slave end are determined for the two symmetrical service single boards, the master end actively starts identity verification, acquires a random number to construct an identity verification request message and then sends the identity verification request message to the slave end. And after receiving the identity authentication request message and verifying the identity authentication request message to be valid, the slave analyzes the identity authentication request message to obtain a random number, and generates first slave identity information according to the password information of the slave, the port information of the slave and the random number. And then the slave end constructs an identity authentication response message according to the slave end identity information and sends the identity authentication response message to the master end. And after the master terminal receives and verifies the identity authentication response message effectively, the master terminal analyzes the identity authentication response message to obtain the identity information of the first slave terminal, compares the locally stored second slave terminal identity information with the analyzed identity information of the first slave terminal, and judges whether the identity authentication is successful or not. The method realizes that the identity information is constructed by the random number generated by the Hash algorithm and the random number algorithm to be verified according to the mutual sending or receiving of messages through the dynamically configurable overhead byte by the master end and the slave end arranged in the optical transport network, thereby greatly increasing the safety and the reliability of the identity verification.

Further, as shown in fig. 2, based on the first embodiment, a second embodiment of the identity verification method of an optical transport network according to the present invention is provided, where the step S10 may include:

step S40, when the identity authentication response message fed back by the slave end in response to the identity authentication request message is not received within the first preset time, retransmitting the identity authentication request message to the slave end, and retransmitting the identity authentication request message after the second preset time or light input is passed after the number of times of failure of the identity authentication request reaches the preset number of times.

When the master end sends an identity verification request message to the slave end, a counter arranged in the master end starts counting, the master end judges whether an identity authentication response message fed back by the slave end aiming at the identity verification request message exceeds a first preset time or not according to the timing time of the counter, if the identity authentication response message is not collected in the first preset time, the current identity verification request is failed, the current count value of the counter is cleared, the current failure times are accumulated, and the identity verification request message is continuously sent. The first preset time can be flexibly set according to specific conditions. It can be understood that, since the re-sent authentication request message is obtained by re-calculating the random number through the hash algorithm and the random algorithm according to the re-acquired local timestamp information, and the new authentication request message is reconstructed from the new random number, the random number included in the authentication request message sent each time is different.

In order to prevent the master terminal from repeatedly sending the authentication request message all the time after the link between the master terminal and the slave terminal is disconnected, thereby increasing the burden of equipment, the master terminal can stop sending the authentication request message after the accumulated times of the authentication request failure reach the preset times, and clear the failure times. The preset times can be set to 5 times, and can also be set according to actual needs. After the second preset time, the master sends the authentication request message to the slave, or after the service is recovered, that is, after the optical input exists, the master retransmits the authentication request message to the slave. The second preset time can be flexibly set according to specific conditions.

Further, as shown in fig. 3, based on the first embodiment, a third embodiment of the identity authentication method of an optical transport network according to the present invention is provided, where before performing all the steps described above, the third embodiment may include:

step S50, the two symmetric service boards determine a master and a slave according to an auto-negotiation algorithm or a received network management protocol configuration instruction, where the master and the slave respectively receive authentication link configuration information issued by a network manager, and the authentication link configuration information includes password information of the master, password information of the slave, port information of the master, and port information of the slave.

In this embodiment, before performing the identity authentication, the master end and the slave end need to be determined for the two symmetric service boards forming the link. In two symmetric service single boards which are symmetric under the same network management in an OTN network, one of the service single boards is set as a master end, and the other service single board is set as a slave end. Then the master end actively sends an identity authentication request to the slave end to verify the validity of the identity information. The embodiment is expanded and developed on the basis of the existing hardware, and a central controller does not need to be specially erected, so that the cost is greatly saved. In addition, the master end and the slave end are arranged to verify the identity information, and compared with the symmetric traditional identity verification mechanism, the identity information verification is respectively carried out on each node through the central controller, so that the security of identity verification is improved.

Specifically, the confirmation manner of the master end and the slave end may include: in the first mode, the two symmetric service boards determine the master end and the slave end through an auto-negotiation algorithm, that is, in the process of sending and receiving messages between the two symmetric service boards, the auto-negotiation algorithm is used to calculate the sizes of the two symmetric service boards according to parameters such as IP, slot position number, port number and the like, and the big one is designated as the master end and the small one is designated as the slave end. And secondly, determining a master end and a slave end through network management protocol configuration, namely, issuing a protocol message by a network manager, wherein the protocol message comprises information of which of two symmetrical service single boards is used as the master end and which is used as the slave end, and thus the master end and the slave end are designated according to the protocol message.

After the configuration of the master end and the slave end is completed, the network manager sends the configuration information of the authentication link to the master end and the slave end, so that the master end and the slave end both receive the configuration information of the authentication link and store the configuration information. The authentication link information is mainly used for generating the identity information of the master end or the slave end, and the identity information is the key for whether the subsequent authentication is successful. The authentication link configuration information may include: the password information of the master end, the password information of the slave end, the port information of the master end, the port information of the slave end, the key material updating period and the updating mode of the master end and the like. The port information may be a network element IP, a slot number, and the like. The password information and the port information can be numbers or characters, and the like, and are converted into binary numbers when random numbers are generated through a hash algorithm. After the link configuration is completed, both the master end state machine and the slave end state machine are initialized to initial value states. It can be understood that, in order to complete the corresponding function when the role is switched between the master and the slave, the master and the slave receive the authentication link configuration information containing the information of the two ends at the same time. After completing the authentication link configuration, the master may send an authentication request message to the slave.

Further, as shown in fig. 4, based on the third embodiment, a fourth embodiment of the identity verification method of an optical transport network according to the present invention is provided, where the step S30 may include:

and step S60, generating and storing second slave identity information according to the password information of the slave, the port information of the slave and the random number.

In order to effectively judge whether the identity verification is successful, that is, the master can compare the first slave identity information obtained by analyzing the identity authentication response message sent by the slave with the second slave identity information generated by the master itself, in this embodiment, the master generates the second slave identity information from the obtained random number, the password information of the slave and the port information of the slave according to a hash algorithm, and stores the generated second slave identity information locally, so that the master verifies the stored second slave identity information and the first slave identity information fed back by the slave in the identity verification process. The hash algorithm is identical to the hash algorithm used by the slave to generate the first slave identity information. The password information and the port information can be flexibly set according to specific conditions. The master constructs an authentication request message according to the obtained 32-byte binary random number, for example, a 4-byte message header and a 32-byte random number may be combined to obtain the authentication request message, and a first byte of the 4-byte message header may indicate that the message type of the authentication request message is the authentication request message.

Correspondingly, as shown in fig. 5, a first embodiment of an authentication apparatus for an optical transport network according to the present invention is provided. The authentication apparatus of an optical transport network of this embodiment includes:

an obtaining module 100, configured to obtain a random number to construct an authentication request message when authentication is started, and send the authentication request message to a slave;

in this embodiment, when the master starts the authentication of the identity information by the obtaining module 100, the master state machine enters an authentication request state, and the master state machine is mainly used to control the timing sequence of the master. The master invokes the obtaining module 100 to generate a random number through a hash algorithm and a random number algorithm to construct an authentication request message, and specifically, the obtaining module 100 may include:

an acquisition unit configured to acquire local timestamp information;

In this embodiment, the main terminal calls the obtaining unit to read the local timestamp information generated by the chip corresponding to the main terminal service board, and the generating unit introduces the local timestamp information into a function consisting of a hash algorithm and a random number algorithm to generate a random number, so as to construct the identity information according to the random number. The hash algorithm can be flexibly set according to specific situations, preferably, the obtained 10-byte local timestamp information can be used for generating 32-byte binary numbers by using the hash 256, and then the 32-byte binary numbers are used for generating 32-byte binary random numbers by using the random number algorithm. It should be noted that the local timestamp information is incremented to ensure that the timestamp information taken each time is different. The random number is calculated by adopting a Hash algorithm and a random number algorithm, and the identity information is constructed, so that the method has higher safety.

A receiving module 200, configured to receive the identity authentication response message fed back by the slave;

The slave end constructs an identity authentication response message according to the identity information of the first slave end, and sends the identity authentication response message to the master end, and the master end calls the receiving module 200 to receive the identity authentication response message. Specifically, after the slave generates the first slave identity information, the identity authentication response message is constructed by the first slave identity information, for example, a 4-byte header may be combined with the 32-byte first slave identity information to obtain the identity authentication response message, and the first byte of the 4-byte header may indicate that the message type of the identity authentication response message is the identity authentication response message. Then, the slave sends the identity authentication response message to the master through a third preset overhead byte, at this time, the slave uses 4 rows and 14 columns of the scheduled ODUk overhead byte by default to send information, that is, the third preset overhead byte may be set to 4 rows and 14 columns. It should be noted that the third predetermined overhead byte can be dynamically configured. And after the slave end sends the identity authentication response message, the slave end state machine is modified into a sending state.

The verification module 300 is configured to parse the identity authentication response message to obtain first slave identity information, and determine whether identity verification is successful according to the first slave identity information and the stored second slave identity information.

Further, the master terminal calls the verification module 300 to verify the received identity authentication response message according to a verification mechanism, specifically, the master terminal extracts a first byte in the identity authentication response message to determine the type of the identity authentication response message, extracts a second byte to obtain the length, compares the length with the length returned by the master control chip of the master terminal, and if the length is consistent with the length returned by the master control chip of the master terminal, the identity authentication request message is valid, and the master terminal state machine enters a response state; if not, it is invalid.

Further, as shown in fig. 6, based on the first embodiment, a second embodiment of the authentication apparatus for an optical transport network according to the present invention is provided, in which the authentication apparatus for an optical transport network further includes:

the processing module 400 is configured to, when an authentication response message fed back by the slave to the authentication request message is not received within a first preset time, retransmit the authentication request message to the slave, and retransmit the authentication request message after a second preset time or after there is light input after the number of times of failure of the authentication request reaches a preset number.

When the master sends an identity verification request message to the slave, a counter built in the master starts counting, the master calls the processing module 400 to judge whether an identity authentication response message fed back by the slave aiming at the identity verification request message exceeds a first preset time according to the timing time of the counter, if the identity authentication response message is not collected within the first preset time, the current identity verification request is failed, the current count value of the counter is cleared, the current failure times are accumulated, and the identity verification request message is continuously sent. The first preset time can be flexibly set according to specific conditions. It can be understood that, since the re-sent authentication request message is obtained by re-calculating the random number through the hash algorithm and the random algorithm according to the re-acquired local timestamp information, and the new authentication request message is reconstructed from the new random number, the random number included in the authentication request message sent each time is different.

In order to prevent the master from repeatedly sending the authentication request message all the time after the link between the master and the slave is disconnected, thereby increasing the burden of the device, the master may call the processing module 400 to stop sending the authentication request message after the accumulated number of failures of the authentication request reaches the preset number, and clear the number of failures. The preset times can be set to 5 times, and can also be set according to actual needs. After the second preset time, the master sends the authentication request message to the slave, or after the service is recovered, that is, after the optical input exists, the master retransmits the authentication request message to the slave. The second preset time can be flexibly set according to specific conditions.

Further, as shown in fig. 7, based on the first embodiment, a third embodiment of the authentication apparatus for an optical transport network according to the present invention is provided, in which the authentication apparatus for an optical transport network further includes:

the determining module 500 is configured to determine a master end and a slave end by two symmetric service boards according to an auto-negotiation algorithm or a received network management protocol configuration instruction, where the master end and the slave end respectively receive authentication link configuration information issued by a network manager, and the authentication link configuration information includes password information of the master end, password information of the slave end, port information of the master end, and port information of the slave end.

In this embodiment, before performing the identity authentication, the determining module 500 needs to determine the master end and the slave end for the two symmetric service boards forming the link. In two symmetric service single boards which are symmetric under the same network management in an OTN network, one of the service single boards is set as a master end, and the other service single board is set as a slave end. Then the master end actively sends an identity authentication request to the slave end to verify the validity of the identity information. The embodiment is expanded and developed on the basis of the existing hardware, and a central controller does not need to be specially erected, so that the cost is greatly saved. In addition, the master end and the slave end are arranged to verify the identity information, and compared with the symmetric traditional identity verification mechanism, the identity information verification is respectively carried out on each node through the central controller, so that the security of identity verification is improved.

Further, as shown in fig. 8, based on the third embodiment, a fourth embodiment of the authentication apparatus for an optical transport network according to the present invention is provided, in which the authentication apparatus for an optical transport network further includes:

a saving module 600, configured to generate second slave identity information according to the password information of the slave, the port information of the slave, and the random number, and save the second slave identity information.

In order to effectively determine whether the identity verification is successful, that is, the master can compare the first slave identity information obtained by analyzing the identity authentication response message sent by the slave with the second slave identity information generated by the master, in this embodiment, the master invokes the storage module 600 to generate the second slave identity information by using the obtained random number, the password information of the slave and the port information of the slave according to a hash algorithm, and store the generated second slave identity information locally, so that the master verifies the stored second slave identity information with the first slave identity information fed back by the slave in the identity verification process. The hash algorithm is identical to the hash algorithm used by the slave to generate the first slave identity information. The password information and the port information can be flexibly set according to specific conditions. The master constructs an authentication request message according to the obtained 32-byte binary random number, for example, a 4-byte message header and a 32-byte random number may be combined to obtain the authentication request message, and a first byte of the 4-byte message header may indicate that the message type of the authentication request message is the authentication request message.

Correspondingly, as shown in fig. 9, an embodiment of an authentication system of an optical transport network according to the present invention is provided. The authentication system of the optical transport network comprises a master terminal 10 and a slave terminal 20, wherein,

the master terminal 10 is configured to obtain a random number to construct an authentication request message when authentication is started, and send the authentication request message to the slave terminal;

in this embodiment, when the primary terminal 10 starts authentication of the identity information, the primary terminal state machine enters an authentication request state, and the primary terminal state machine is mainly used to control the time sequence of the primary terminal 10. The master 10 constructs an authentication request message by generating a random number through a hash algorithm and a random number algorithm, and specifically, the master 10 is further configured to,

acquiring local timestamp information;

In this embodiment, the main terminal 10 reads local timestamp information generated by a chip corresponding to the service board of the main terminal 10, and introduces the local timestamp information into a function composed of a hash algorithm and a random number algorithm to generate a random number, so as to construct identity information according to the random number. The hash algorithm can be flexibly set according to specific situations, preferably, the obtained 10-byte local timestamp information can be used for generating 32-byte binary numbers by using the hash 256, and then the 32-byte binary numbers are used for generating 32-byte binary random numbers by using the random number algorithm. It should be noted that the local timestamp information is incremented to ensure that the timestamp information taken each time is different. The random number is calculated by adopting a Hash algorithm and a random number algorithm, and the identity information is constructed, so that the method has higher safety.

In this embodiment, the master 10 and the slave 20 receive or send messages through the preset overhead byte, and the preset overhead byte may be dynamically configured according to actual needs, that is, the dynamic configuration of the preset overhead byte may be implemented according to different interface addresses configured. The dynamic configuration of the overhead byte makes it difficult for a pirate to track the overhead byte for actual transmission, further increasing the security of authentication. Specifically, the master 10 sends an authentication request message to the slave by using a first preset overhead byte, the master state machine enters a sending state, and starts a counter built in the master 10 to start timing, so as to detect and acquire time for the slave to feed back an authentication response message for the authentication request message. The primary 10 uses 4 rows and 13 columns of overhead bytes of the scheduled ODUk by default to send information, that is, the first preset overhead byte may be set to 4 rows and 13 columns. It should be noted that the first preset overhead byte may be dynamically configured according to actual needs.

The slave 20, configured to receive the identity verification request message, construct an identity authentication response message, and send the identity authentication response message to the master;

since the receiving of the message from the slave 20 is passive, the slave 20 needs to detect whether a message is sent or not so as to receive the message in time. After the master 10 completes sending the authentication request message, the slave 20 queries and detects the message sent by the master 10 in a predefined period, which may be set to 1 second, or may be set according to actual needs. When the state identification signal is valid, that is, when the signal trip is at a high level, it indicates that the master 10 has a message sent thereto, and the slave 20 receives an authentication request message through a second predetermined overhead byte. On the contrary, when the state identification signal is invalid, i.e. when the signal trip is 0, it indicates that the master 10 has no message to send. The slave 20 receives information by default using 4 rows and 13 columns of the scheduled ODUk overhead bytes, i.e. the second preset overhead bytes may be set to 4 rows and 13 columns. It should be noted that the second preset overhead byte may be dynamically configured according to actual needs.

Further, the slave 20 verifies the received authentication request message according to a verification mechanism, specifically, the slave 20 extracts a first byte in the authentication request message to determine its type, and obtains a length by extracting a second byte, and then compares the length with a length returned by a master control chip of the slave 20, if the lengths are consistent, the authentication request message is valid; if the two messages are not consistent, the messages are invalid, and the slave 20 feeds back failure state information to the master 10, so that the master 10 retransmits the authentication request message to the slave 20 after receiving the failure state information fed back by the slave 20.

After verifying that the authentication request message is valid, the slave 20 obtains the content of the authentication request message, and obtains a random number by parsing the authentication request message, where the random number is the authentication request message constructed by the master 10 according to the random number. Then, the slave 20 generates first slave identity information through a hash algorithm according to the password information of the slave 20, the port information of the slave 20 and the analyzed random number, wherein the first slave identity information is a binary number.

The slave 20 constructs an identity authentication response message according to the first slave identity information, and sends the identity authentication response message to the master 10, and the master 10 receives the identity authentication response message. Specifically, after the slave 20 generates the first slave identity information, the authentication response message is constructed by the first slave identity information, for example, a 4-byte header may be combined with the 32-byte first slave identity information to obtain the authentication response message, and the first byte of the 4-byte header may indicate that the message type of the authentication response message is the authentication response message. Then, the slave 20 sends the identity authentication response message to the master 10 through a third preset overhead byte, at this time, the slave uses 4 rows and 14 columns of the scheduled ODUk overhead byte by default to send information, that is, the third preset overhead byte may be set to 4 rows and 14 columns. It should be noted that the third predetermined overhead byte can be dynamically configured. After the slave 20 sends the authentication response message, the slave state machine is modified to the sending state.

And the master terminal 10 is configured to parse the identity authentication response message to obtain first slave terminal identity information, and determine whether identity authentication is successful according to the first slave terminal identity information and the stored second slave terminal identity information.

The master 10 polling detects the message sent from the slave in a preset period, which may be set to 1 second, or may be set according to actual needs. When the state identification signal is valid, that is, when the signal trip is at a high level, it indicates that the slave 20 has a message feedback, and the master 10 receives an identity authentication response message through a fourth preset overhead byte. Conversely, when the state identification signal is invalid, i.e. when the signal trip is 0, it indicates that the slave 20 has no feedback message. The primary side 10 receives information by default using 4 rows and 14 columns of the scheduled ODUk overhead bytes, that is, the fourth preset overhead byte may be set to 4 rows and 14 columns. It should be noted that the fourth preset overhead byte may be dynamically configured according to actual needs. If the master 10 has not received the authentication response message after the counter built in the master 10 exceeds the preset time, the master 10 retransmits the authentication request message to the slave 20.

Further, the main terminal 10 verifies the received identity authentication response message according to a verification mechanism, specifically, the main terminal 10 extracts a first byte in the identity authentication response message to determine the type of the identity authentication response message, extracts a second byte to obtain the length, compares the length with the length returned by the main control chip of the main terminal 10, if the length is consistent with the length returned by the main control chip of the main terminal 10, the identity authentication request message is valid, and the main terminal state machine enters a response state; if not, it is invalid.

After verifying that the identity authentication response message is valid, the master 10 obtains the content of the identity authentication response message, and extracts first slave identity information by parsing the identity authentication response message, where the first slave identity information is the first slave identity information generated by the slave according to the password information of the slave 20, the port information of the slave 20, and the random number. Then, the master 10 compares the first slave identity information obtained by parsing with the second slave identity information stored locally, that is, determines whether the second slave identity information stored locally is consistent with the binary number of the first slave identity information obtained by parsing the identity authentication response message. If the two authentication requests are inconsistent, the state machine of the master end continues to maintain the authentication request state, and if the authentication is unsuccessful, the master end 10 restarts a new authentication process. If the state machine is consistent with the state machine, the state machine at the main end enters a verification success state, the authentication is successful, namely the authentication process is completed, and then the state machine at the main end enters other modules such as a secret key transmission module and a lossless switching module in the OTN encryption transmission system. Meanwhile, the master 10 and the slave 20 detect the alarm state of the OTN encrypted transmission system in real time: and if the encrypted path is detected to be normal from failure, restarting the authentication process, so that the authentication is carried out again after the link is recovered to be normal, and improving the reliability of the authentication. If the encrypted path is detected to be invalid from normal, the link is disconnected, and the authentication process needs to be restarted.

After the master terminal 10 and the slave terminal 20 are determined for the two symmetric service boards, the master terminal 10 actively starts authentication, acquires a random number to construct an authentication request message, and then sends the authentication request message to the slave terminal 20. After receiving the authentication request message and verifying that the authentication request message is valid, the slave 20 parses the authentication request message to obtain a random number, and generates first slave identity information according to the password information of the slave 20, the port information of the slave 20, and the random number. The slave 20 then constructs an authentication response message according to the slave identity information and sends the authentication response message to the master 10. After receiving the identity authentication response message and verifying that the identity authentication response message is valid, the master terminal 10 parses the identity authentication response message to obtain the first slave terminal identity information, compares the second slave terminal identity information stored locally with the first slave terminal identity information obtained by parsing, and determines whether the identity authentication is successful. The method realizes that the identity information constructed by the random number generated by the Hash algorithm and the random number algorithm is verified according to the mutual sending or receiving of messages through the dynamically configurable overhead byte by the master end 10 and the slave end 20 arranged in the optical transport network, thereby greatly increasing the safety and reliability of the identity verification.

Further, based on the above embodiment, in this embodiment, the master 10 is further configured to, when the identity authentication response message fed back by the slave 20 for the identity authentication request message is not received within the first preset time, retransmit the identity authentication request message to the slave 20, and retransmit the identity authentication request message after the second preset time or after the presence of optical input after the number of times of failure of the identity authentication request reaches the preset number of times.

When the master terminal 10 sends an identity verification request message to the slave terminal 20, a counter built in the master terminal 10 starts counting, the master terminal 10 judges whether an identity authentication response message fed back by the slave terminal 20 for the identity verification request message exceeds a first preset time according to the timing time of the counter, if the identity authentication response message is not acquired within the first preset time, the current identity verification request is failed, the current count value of the counter is cleared, the current failure times are accumulated, and the identity verification request message is continuously sent. The first preset time can be flexibly set according to specific conditions. It can be understood that, since the re-sent authentication request message is obtained by re-calculating the random number through the hash algorithm and the random algorithm according to the re-acquired local timestamp information, and the new authentication request message is reconstructed from the new random number, the random number included in the authentication request message sent each time is different.

In order to prevent the master 10 from repeatedly sending the authentication request message all the time after the link between the master 10 and the slave 20 is disconnected, thereby increasing the burden of the device, the master 10 may stop sending the authentication request message after the accumulated number of failures of the authentication request reaches the preset number, and clear the number of failures. The preset times can be set to 5 times, and can also be set according to actual needs. After the second preset time, the master 10 sends the authentication request message to the slave 20, or after the service is restored, that is, after there is optical input, the master 10 retransmits the authentication request message to the slave 20. The second preset time can be flexibly set according to specific conditions.

Further, based on the foregoing embodiment, in this embodiment, the identity verification system of an optical transport network further includes: the two symmetric service single boards determine a master end 10 and a slave end 20 according to an auto-negotiation algorithm or a received network management protocol configuration instruction; the master 10 is further configured to receive authentication link configuration information issued by a network manager, where the authentication link configuration information includes password information of the master 10, password information of the slave 20, port information of the master 10, and port information of the slave 20;

the slave 20 is further configured to receive authentication link configuration information sent by the network manager, where the authentication link configuration information includes password information of the master 10, password information of the slave 20, port information of the master 10, and port information of the slave 20.

In this embodiment, before performing the identity authentication, the master 10 and the slave 20 need to be determined for two symmetric service boards forming a link. In two symmetric service boards symmetric under the same network management in the OTN network, one of the service boards is set as a master 10, and the other service board is set as a slave 20. Then, the master 10 actively sends an authentication request to the slave 20 to verify the validity of the identity information. The embodiment is expanded and developed on the basis of the existing hardware, and a central controller does not need to be specially erected, so that the cost is greatly saved. In addition, the master terminal 10 and the slave terminal 20 are arranged to verify the identity information, and compared with the traditional symmetric identity verification mechanism, the identity information verification is performed on each node through the central controller, so that the security of identity verification is improved.

Specifically, the confirmation manner of the master 10 and the slave 20 may include: in a first mode, two symmetric service boards determine the master 10 and the slave 20 through an auto-negotiation algorithm, that is, in the process of sending and receiving messages between the two symmetric service boards, the auto-negotiation algorithm is used to calculate the sizes of the two symmetric service boards according to parameters such as IP, slot number, port number, etc., and the larger one is designated as the master 10 and the smaller one is designated as the slave 20. In the second mode, the master 10 and the slave 20 are determined by the network management protocol configuration, that is, the network management issues a protocol message, where the protocol message includes information about which of the two symmetric service boards is used as the master 10 and which is used as the slave 20, so as to specify the master 10 and the slave 20 according to the protocol message.

After the configuration of the master 10 and the slave 20 is completed, the network manager issues the authentication link configuration information to the master 10 and the slave 20, so that both the master 10 and the slave 20 receive and store the authentication link configuration information. The authentication link information is mainly used to generate the identity information of the master 10 or the slave 20, and the identity information is the key for whether the subsequent authentication is successful. The authentication link configuration information may include: password information of the master 10, password information of the slave 20, port information of the master 10, port information of the slave 20, a key material update period and an update mode of the master 10, and the like. The port information may be a network element IP, a slot number, and the like. The password information and the port information can be numbers or characters, and the like, and are converted into binary numbers when random numbers are generated through a hash algorithm. After the link configuration is completed, both the master end state machine and the slave end state machine are initialized to initial value states. It is understood that, in order to complete the corresponding function when the role is switched between the master 10 and the slave 20, the master 10 and the slave 20 simultaneously receive the authentication link configuration information containing the information of the two ends. After completing the authentication link configuration, the master peer 10 may send an authentication request message to the slave peer 20.

Further, based on the above embodiment, in this embodiment, the master 10 is further configured to generate second slave identity information according to the password information of the slave 20, the port information of the slave 20, and the random number, and store the second slave identity information.

In order to effectively determine whether the identity verification is successful, that is, the master 10 can compare the first slave identity information obtained by analyzing the identity authentication response message sent by the slave 20 with the second slave identity information generated by itself, in this embodiment, the master 10 generates the first slave identity information according to the obtained random number, the password information of the slave 20, and the port information of the slave 20 by using a hash algorithm, and stores the generated first slave identity information locally, so that in the process of identity verification, the master 10 verifies the stored first slave identity information and the second slave identity information fed back by the slave. The password information and the port information can be flexibly set according to specific conditions. The master 10 constructs an authentication request message according to the obtained 32-byte binary random number, for example, a 4-byte message header and a 32-byte random number may be combined to obtain the authentication request message, and a first byte of the 4-byte message header may indicate that the message type of the authentication request message is the authentication request message.

The above description is only a preferred embodiment of the present invention, and not intended to limit the scope of the present invention, and all modifications of equivalent structures and equivalent processes, which are made by using the contents of the present specification and the accompanying drawings, or directly or indirectly applied to other related technical fields, are included in the scope of the present invention.

Claims

1. An identity authentication method of an optical transport network, the identity authentication method of the optical transport network comprising the steps of:

when the identity authentication is started, the master end acquires local timestamp information, introduces the local timestamp information into a function consisting of a Hash algorithm and a random number algorithm to generate a random number, constructs an identity authentication request message according to the random number, and sends the identity authentication request message to the slave end through a first preset overhead byte;

the master end receives the identity authentication response message fed back by the slave end according to the random number, the password information of the slave end and the port information of the slave end;

and the master terminal analyzes the identity authentication response message to acquire first slave terminal identity information and judges whether identity authentication is successful according to the first slave terminal identity information and the stored second slave terminal identity information.

2. The identity authentication method of an optical transport network according to claim 1, wherein the step of, when the identity authentication is started, the master side obtaining the local timestamp information, importing the local timestamp information into a function consisting of a hash algorithm and a random number algorithm to generate a random number, constructing an identity authentication request message according to the random number, and sending the identity authentication request message to the slave side through a first preset overhead byte comprises:

3. The method for authenticating an optical transport network according to claim 1, further comprising, before performing all the steps:

4. The identity verification method of the otn of claim 3, wherein the analyzing the id authentication response message to obtain the first slave identity information, and determining whether the identity verification is successful according to the first slave identity information and the stored second slave identity information comprises:

5. The identity verification method of the otn according to claim 1, wherein a message is received or transmitted between the master and the slave through a preset overhead byte.

6. An authentication apparatus of an optical transport network, comprising:

the system comprises an acquisition module, a slave end and a master end, wherein the acquisition module is used for acquiring local timestamp information when identity authentication is started, importing the local timestamp information into a function consisting of a Hash algorithm and a random number algorithm to generate a random number, constructing an identity authentication request message according to the random number, and sending the identity authentication request message to the slave end through a first preset overhead byte;

the receiving module is used for receiving the identity authentication response message fed back by the slave end according to the random number, the password information of the slave end and the port information of the slave end;

7. The apparatus for authenticating an optical transport network according to claim 6, wherein the apparatus for authenticating an optical transport network further comprises:

8. The apparatus for authenticating an optical transport network according to claim 6, wherein the apparatus for authenticating an optical transport network further comprises:

9. The apparatus for authenticating an optical transport network according to claim 8, wherein the apparatus for authenticating an optical transport network further comprises:

10. The identity authentication apparatus of an otn according to claim 6, wherein the master and the slave receive or transmit a message therebetween through a preset overhead byte.

11. An authentication system of an optical transport network, comprising a master and a slave, wherein,

the system comprises a master end, a slave end and a server, wherein the master end is used for acquiring local timestamp information when identity authentication is started, importing the local timestamp information into a function consisting of a Hash algorithm and a random number algorithm to generate a random number, constructing an identity authentication request message according to the random number, and sending the identity authentication request message to the slave end through a first preset overhead byte;

the slave end is used for receiving the identity verification request message, constructing an identity authentication response message according to the random number in the identity verification request message, the password information of the slave end and the port information of the slave end and sending the identity authentication response message to the master end;

12. The system of claim 11, wherein the master is further configured to retransmit the authentication request message to the slave when the authentication response message fed back by the slave for the authentication request message is not received within a first preset time, and retransmit the authentication request message after a second preset time or after an optical input exists after the number of failed authentication requests reaches a preset number.

13. The authentication system of an optical transport network according to claim 11, wherein the authentication system of an optical transport network further comprises:

14. The system of claim 13, wherein the master is further configured to generate the second slave identity information according to the slave password information, the slave port information, and the random number for storage.

15. The identity verification system of an optical transport network according to claim 11, wherein the master and the slave receive or transmit messages therebetween through a preset overhead byte.