CN107919917B - Method for preventing illegal ONU registration from getting online - Google Patents
Method for preventing illegal ONU registration from getting online Download PDFInfo
- Publication number
- CN107919917B CN107919917B CN201711476957.3A CN201711476957A CN107919917B CN 107919917 B CN107919917 B CN 107919917B CN 201711476957 A CN201711476957 A CN 201711476957A CN 107919917 B CN107919917 B CN 107919917B
- Authority
- CN
- China
- Prior art keywords
- onu
- mac address
- digital signature
- management system
- network management
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/80—Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
- H04B10/85—Protection from unauthorised access, e.g. eavesdrop protection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Small-Scale Networks (AREA)
Abstract
The invention discloses a method for preventing illegal ONU from registering on line, which is used in a fiber-to-the-home network and comprises the following steps: s1, generating MAC address on network management system; s2, the network management system encrypts each MAC address to generate a corresponding digital signature, and the digital signature is stored in the network management system; s3, after the optical network unit ONU is accessed to the local side equipment OLT, the OLT monitors the registration request of the ONU, acquires the MAC address and the digital signature of the ONU and reports the MAC address and the digital signature to the network management system; s4, the network management system compares the reported MAC address and the digital signature with the locally stored digital signature, if the comparison result is consistent, the ONU is judged to be legal; if the comparison result is inconsistent, the ONU is considered to be illegal; s5, the network management system sends a message to the OLT, and allows the legal ONU to be registered online, and does not allow the illegal ONU to be registered online. The invention can prevent the illegal optical network unit ONU which is not authenticated safely from registering to be on-line to develop service, thereby protecting the safety of the network system.
Description
Technical Field
The invention relates To The technical field of FTTH (fiber To The Home) network and ONU digital signature generation of an optical network unit, in particular To a method for preventing illegal ONU from registering on line.
Background
With the rapid development of FTTH (fiber to the home) service, an optical network unit ONU has entered thousands of households, but with the decrease of the ONU technology admission threshold and the decrease of the production cost, a large number of unsmooth companies enter the field, and counterfeit and inferior ONU products emerge endlessly, which causes serious hidden troubles to network security. In order to prevent the phenomenon from continuously deteriorating, a function needs to be developed to perform security authentication on the ONU, only the authenticated ONU can access the network to perform subsequent services, and the unauthenticated ONU cannot be on-line, so that the network security is ensured, and network management personnel can conveniently manage the network.
Disclosure of Invention
The technical problem to be solved by the present invention is to provide a method for preventing an illegal ONU from registering to be on-line, aiming at the defect that the network security is difficult to guarantee in the prior art.
The technical scheme adopted by the invention for solving the technical problems is as follows:
the invention provides a method for preventing illegal ONU from registering online, which is used for generating MAC address and digital signature through a network management system in a fiber-to-the-home network and managing an ONU of an optical network unit accessing to an OLT (optical line terminal) of local side equipment, and comprises the following steps:
s1, generating MAC address on network management system;
s2, the network management system encrypts each MAC address to generate a corresponding digital signature, and the digital signature is stored in the network management system;
s3, after the optical network unit ONU is accessed to the local side equipment OLT, the local side equipment OLT monitors the registration request of the optical network unit ONU, acquires the MAC address and the digital signature of the optical network unit ONU and reports the MAC address and the digital signature to the network management system;
s4, the network management system compares the reported MAC address and the digital signature with the locally stored digital signature, if the comparison result is consistent, the ONU is judged to be legal; if the comparison result is inconsistent, the ONU is considered to be illegal;
s5, the network management system sends a message to the OLT, and allows the legal ONU to be registered online, and does not allow the illegal ONU to be registered online.
Further, each MAC address generated in step S1 of the present invention is unique, all MAC addresses form a MAC address pool, the MAC address pool is planned before the fiber-to-the-home network is opened, and only the optical network unit ONU with the MAC address in the pool can access the local end device OLT.
Further, the method for generating the MAC address in step S1 of the present invention includes two methods:
generating an MAC address on a network management system according to a preset rule;
and importing the MAC address from the external document to a network management system.
Further, the method for encrypting each MAC address in step S2 of the present invention specifically includes:
the network management system encrypts each MAC address by using a TEA encryption algorithm to generate a corresponding digital signature; the TEA algorithm uses the Delta value which is continuously increased as a change, so that the encryption of each round is different, the iteration times of the encryption algorithm are variable, and the iteration times on a network management system are 32 rounds; after encryption is finished, splicing the obtained ciphertext to an MAC address to form a character string with the length of 38 bytes; the length of the MAC address in the character string is 6 bytes, and the length of the ciphertext is 32 bytes; if the length of the encrypted ciphertext is less than 32 bytes, then 0 is supplemented to the ciphertext to enable the ciphertext to reach 32 bytes; finally, the string with the length of 40 bytes is subjected to BASE64 encoding to obtain the final digital signature.
Further, the method of step S3 of the present invention specifically includes:
the optical network unit ONU is accessed to a PON port of the local side equipment OLT, after being powered on or reset, the optical network unit ONU sends a registration request to the local side equipment OLT, and after monitoring the registration request of the optical network unit ONU, the local side equipment OLT acquires the MAC address and the digital signature of the optical network unit ONU and reports the MAC address and the digital signature to the network management system in the form of alarm.
Further, the method of step S4 of the present invention specifically includes:
and the network management system compares the reported MAC address and the digital signature with the locally stored digital signature according to the alarm type, if the comparison result is consistent, the ONU is considered to be legal after safety certification, and if the comparison result is inconsistent, the ONU is considered to be illegal.
Further, the method for comparing the reported MAC address and the digital signature with the locally stored digital signature in step S4 of the present invention specifically includes:
respectively carrying out BASE64 decoding on the reported digital signature and the locally stored digital signature, and then respectively comparing the first 6 bytes of the decoded character string with the reported MAC address;
comparing the 32 bytes after the two decoded character strings;
and if the comparison results are the same, the comparison results are considered to be consistent.
Further, the method of step S5 of the present invention specifically includes:
the network management system sends a message indicating whether the ONU is authenticated to the OLT according to the determination result in step S4, and determines whether to allow the ONU to register on the line according to the type of the message after receiving the message from the OLT.
The invention has the following beneficial effects: the method for preventing the illegal ONU from registering on line has the following advantages: 1. the invention can prevent the ONU which is not authenticated to be accessed to the network system, thereby protecting the security of the network system; 2. the invention can directly carry out safety certification on the ONU before the OLT registers the accessed ONU on line, can effectively prevent illegal fake and shoddy products from being accessed into a network system, reduces the potential safety hazard of the network and greatly facilitates the management of operation and maintenance personnel.
Drawings
The invention will be further described with reference to the accompanying drawings and examples, in which:
fig. 1 is a flowchart of a method for preventing an illegal ONU from registering online in an embodiment of the present invention;
fig. 2 is a timing diagram of a method for preventing an illegal ONU from registering online in the embodiment of the present invention.
Detailed Description
In order to make the objects, technical solutions and advantages of the present invention more apparent, the present invention is described in further detail below with reference to the accompanying drawings and embodiments. It should be understood that the specific embodiments described herein are merely illustrative of the invention and are not intended to limit the invention.
As shown in fig. 1, a method for preventing an illegal ONU from registering online in an embodiment of the present invention is used for generating an MAC address and a digital signature by a network management system in an optical fiber to the home network, and managing an optical network unit ONU accessing to an OLT in a local side device, and the method includes the following steps:
s1, generating MAC address on network management system;
s2, the network management system encrypts each MAC address to generate a corresponding digital signature, and the digital signature is stored in the network management system;
s3, after the optical network unit ONU is accessed to the local side equipment OLT, the local side equipment OLT monitors the registration request of the optical network unit ONU, acquires the MAC address and the digital signature of the optical network unit ONU and reports the MAC address and the digital signature to the network management system;
s4, the network management system compares the reported MAC address and the digital signature with the locally stored digital signature, if the comparison result is consistent, the ONU is judged to be legal; if the comparison result is inconsistent, the ONU is considered to be illegal;
s5, the network management system sends a message to the OLT, and allows the legal ONU to be registered online, and does not allow the illegal ONU to be registered online.
In another embodiment of the invention:
the invention generates the digital signature in the network management system and stores the digital signature in the network management system, when the ONU is accessed to the local side equipment OLT, the registration request is sent, and after the OLT receives the registration request message of the ONU, the MAC address and the digital signature of the ONU are obtained and then reported to the network management system. The network management system receives the reported MAC address and the digital signature, compares the reported MAC address and the digital signature with the digital signature stored in the system, and judges whether the ONU is subjected to security authentication or not to realize discrimination of the ONU, so that the ONU which is not subjected to the security authentication cannot be registered and cannot be on-line opened for service.
Referring to a method sequence diagram for preventing an illegal ONU from registering online shown in fig. 2, the flow is based on the method flow shown in fig. 1, and the specific process is as follows:
step 1: setting a starting MAC address and an ending MAC address in a network management system, then starting to generate the MAC addresses, and generating a group of continuous MAC addresses, wherein the number of the continuous MAC addresses is not more than 10 ten thousand at most. Or importing the MAC address which is planned and allocated in the external form document into the system. These MAC addresses will be used for secure authentication of the accessed ONU and must be unique.
Step 2: and encrypting each MAC address in a network management system to generate a corresponding digital signature. And the encryption adopts a TEA encryption algorithm, the MAC address and the private key form original data, then encryption is carried out, iterative encryption is carried out for multiple times, and the security is ensured. Because the original data formed by the encryption is unique, the digital key generated by the encryption is also unique;
the method for encrypting each MAC address specifically includes:
the network management system encrypts each MAC address by using a TEA encryption algorithm to generate a corresponding digital signature; the TEA algorithm uses the Delta value which is continuously increased as a change, so that the encryption of each round is different, the iteration number of the encryption algorithm can be changed, and the iteration number on the network management system is 32 rounds. After encryption is completed, the obtained ciphertext is spliced to the MAC address to form a character string with the length of 38 bytes. The length of the MAC address in the character string is 6 bytes, and the length of the ciphertext is 32 bytes. If the ciphertext length obtained after encryption is less than 32 bytes, the ciphertext is complemented by 0 to reach 32 bytes. Finally, the string with the length of 40 bytes is subjected to BASE64 encoding to obtain the final digital signature.
And step 3: after an optical network unit ONU is accessed to a local side equipment OLT, the OLT monitors a registration request of the ONU, acquires an MAC address and a digital signature of the ONU and reports the MAC address and the digital signature to a network management system;
and 4, step 4: the network management system compares the reported MAC address and the digital signature with the locally stored digital signature, if the comparison result is consistent, the ONU is considered to be legal after the security authentication, and if the comparison result is inconsistent, the ONU is considered to be illegal;
the method for comparing the reported MAC address and the digital signature with the locally stored digital signature specifically comprises the following steps:
1) and respectively carrying out BASE64 decoding on the reported digital signature and the locally stored digital signature, and then respectively comparing the first 6 bytes of the decoded character string with the reported MAC address, wherein the reported digital signature, the locally stored digital signature and the decoded character string must be the same.
2) The two decoded strings are compared 32 bytes later, and the two strings must be identical.
And 5: the network management system sends a message indicating whether the ONU is subjected to security authentication to the OLT according to the determination result in step S4, and the OLT determines whether to allow the ONU to register on line according to the type of the message after receiving the message.
By the method, the invention can prevent illegal ONU from registering online to develop service, and ONU which is not authenticated safely can not access the network system and can not develop service, thereby protecting network security.
It will be understood that modifications and variations can be made by persons skilled in the art in light of the above teachings and all such modifications and variations are intended to be included within the scope of the invention as defined in the appended claims.
Claims (3)
1. A method for preventing illegal ONU registration from getting online is characterized in that the method is used for generating MAC address and digital signature through a network management system in a fiber-to-the-home network and managing an optical network unit ONU accessed to a local side equipment OLT, and the method comprises the following steps:
s1, generating MAC address on network management system;
s2, the network management system encrypts each MAC address to generate a corresponding digital signature, and the digital signature is stored in the network management system;
s3, after the optical network unit ONU is accessed to the local side equipment OLT, the local side equipment OLT monitors the registration request of the optical network unit ONU, acquires the MAC address and the digital signature of the optical network unit ONU and reports the MAC address and the digital signature to the network management system;
s4, the network management system compares the reported MAC address and the digital signature with the locally stored digital signature, if the comparison result is consistent, the ONU is judged to be legal; if the comparison result is inconsistent, the ONU is considered to be illegal;
s5, the network management system sends a message to the OLT, and allows the legal ONU to be registered online, and does not allow the illegal ONU to be registered online;
each MAC address generated in step S1 is unique, all MAC addresses form an MAC address pool, the MAC address pool is planned at the early stage of the provisioning of the fiber to the home network, and only the optical network unit ONU with the MAC address in the pool can access the local side device OLT;
the method for generating the MAC address in step S1 includes two methods:
generating an MAC address on a network management system according to a preset rule;
leading in the MAC address from the external document to a network management system;
the method for encrypting each MAC address in step S2 specifically includes:
the network management system encrypts each MAC address by using a TEA encryption algorithm to generate a corresponding digital signature; the TEA algorithm uses the Delta value which is continuously increased as a change, so that the encryption of each round is different, the iteration times of the encryption algorithm are variable, and the iteration times on a network management system are 32 rounds; after encryption is finished, splicing the obtained ciphertext to an MAC address to form a character string with the length of 38 bytes; the length of the MAC address in the character string is 6 bytes, and the length of the ciphertext is 32 bytes; if the length of the encrypted ciphertext is less than 32 bytes, then 0 is supplemented to the ciphertext to enable the ciphertext to reach 32 bytes; finally, the character string with the length of 40 bytes is subjected to BASE64 encoding to obtain a final digital signature;
the method of step S4 specifically includes:
the network management system compares the reported MAC address and the digital signature with a locally stored digital signature according to the alarm type, if the comparison result is consistent, the ONU is considered to be legal after safety certification, and if the comparison result is inconsistent, the ONU is considered to be illegal;
the method for comparing the reported MAC address and the digital signature with the locally stored digital signature in step S4 specifically includes:
respectively carrying out BASE64 decoding on the reported digital signature and the locally stored digital signature, and then respectively comparing the first 6 bytes of the decoded character string with the reported MAC address;
comparing the 32 bytes after the two decoded character strings;
and if the comparison results are the same, the comparison results are considered to be consistent.
2. The method for preventing an illegal ONU from registering on-line according to claim 1, wherein the method in step S3 specifically comprises:
the optical network unit ONU is accessed to a PON port of the local side equipment OLT, after being powered on or reset, the optical network unit ONU sends a registration request to the local side equipment OLT, and after monitoring the registration request of the optical network unit ONU, the local side equipment OLT acquires the MAC address and the digital signature of the optical network unit ONU and reports the MAC address and the digital signature to the network management system in the form of alarm.
3. The method for preventing an illegal ONU from registering on-line according to claim 1, wherein the method in step S5 specifically comprises:
the network management system sends a message indicating whether the ONU is authenticated to the OLT according to the determination result in step S4, and determines whether to allow the ONU to register on the line according to the type of the message after receiving the message from the OLT.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711476957.3A CN107919917B (en) | 2017-12-29 | 2017-12-29 | Method for preventing illegal ONU registration from getting online |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201711476957.3A CN107919917B (en) | 2017-12-29 | 2017-12-29 | Method for preventing illegal ONU registration from getting online |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN107919917A CN107919917A (en) | 2018-04-17 |
| CN107919917B true CN107919917B (en) | 2020-09-29 |
Family
ID=61894507
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201711476957.3A Active CN107919917B (en) | 2017-12-29 | 2017-12-29 | Method for preventing illegal ONU registration from getting online |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN107919917B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN113037566B (en) * | 2021-03-30 | 2022-07-01 | 深圳市西迪特科技有限公司 | Method for managing PON (Passive optical network) equipment through intranet penetration |
| CN118175141B (en) * | 2024-05-15 | 2024-07-23 | 中兴通讯股份有限公司 | Method for safe allocation of address by FTTR system |
Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150391A (en) * | 2006-09-20 | 2008-03-26 | 华为技术有限公司 | A method, system and device for preventing optical network unit in passive optical network from being counterfeiting |
| CN101778311A (en) * | 2009-01-08 | 2010-07-14 | 中兴通讯股份有限公司 | Distribution method of optical network unit marks and optical line terminal |
| CN102571350A (en) * | 2011-12-30 | 2012-07-11 | 中兴通讯股份有限公司 | Authentication method and device for optical network unit |
| WO2015079537A1 (en) * | 2013-11-28 | 2015-06-04 | 三菱電機株式会社 | Pon system, olt, and method for recovering high-speed lines thereof |
Family Cites Families (6)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| KR100523357B1 (en) * | 2003-07-09 | 2005-10-25 | 한국전자통신연구원 | Key management device and method for providing security service in epon |
| CN101662705B (en) * | 2009-10-19 | 2013-03-06 | 国家电网公司 | Equipment authentication method of Ethernet passive optical network (EPON) and system thereof |
| CN102170421A (en) * | 2010-02-25 | 2011-08-31 | 中兴通讯股份有限公司 | Method and system for realizing mixed authentication |
| CN102832997B (en) * | 2012-09-12 | 2016-04-20 | 上海斐讯数据通信技术有限公司 | A kind of authentication method of ONU equipment and Ethernet passive optical network system |
| CN103905209A (en) * | 2014-04-30 | 2014-07-02 | 殷爱菡 | Mutual authentication method based on NTRUSign passive optical network access |
| CN105592040B (en) * | 2015-07-29 | 2018-11-09 | 新华三技术有限公司 | The secure registration method and apparatus of ONU is realized in EPON |
-
2017
- 2017-12-29 CN CN201711476957.3A patent/CN107919917B/en active Active
Patent Citations (4)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN101150391A (en) * | 2006-09-20 | 2008-03-26 | 华为技术有限公司 | A method, system and device for preventing optical network unit in passive optical network from being counterfeiting |
| CN101778311A (en) * | 2009-01-08 | 2010-07-14 | 中兴通讯股份有限公司 | Distribution method of optical network unit marks and optical line terminal |
| CN102571350A (en) * | 2011-12-30 | 2012-07-11 | 中兴通讯股份有限公司 | Authentication method and device for optical network unit |
| WO2015079537A1 (en) * | 2013-11-28 | 2015-06-04 | 三菱電機株式会社 | Pon system, olt, and method for recovering high-speed lines thereof |
Non-Patent Citations (1)
| Title |
|---|
| 一种10Gbit/s EPON的综合安全方案;占雪梅等;《光通信研究》;20160610;全文 * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN107919917A (en) | 2018-04-17 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN107770182B (en) | Data storage method of home gateway and home gateway | |
| CN101938473B (en) | Single-point login system and single-point login method | |
| CN108830983B (en) | Access control system based on block chain and working method thereof | |
| CN110069918A (en) | A kind of efficient double factor cross-domain authentication method based on block chain technology | |
| CN106416123A (en) | Password-based authentication | |
| CN103312515A (en) | Generation method, generation device, authentication method and authentication system for authorization token | |
| CN111435913A (en) | Identity authentication method and device for terminal of Internet of things and storage medium | |
| CN109687965A (en) | The real name identification method of subscriber identity information in a kind of protection network | |
| CN103312691A (en) | Method and system for authenticating and accessing cloud platform | |
| CN113965930B (en) | Quantum key-based industrial internet active identification analysis method and system | |
| CN106973046B (en) | Inter-gateway data transmission method, source gateway and destination gateway | |
| CN109726578B (en) | Dynamic two-dimensional code anti-counterfeiting solution | |
| CN107306246A (en) | Based on the data capture method for accessing key | |
| CN107920081A (en) | Login authentication method and device | |
| CN111080299B (en) | Anti-repudiation method for transaction information, client and server | |
| CN109743174A (en) | The monitoring and managing method that electric power monitoring security management and control system program updates | |
| CN113204757A (en) | Information interaction method, device and system | |
| CN107919917B (en) | Method for preventing illegal ONU registration from getting online | |
| CN104112223A (en) | offline billing method based on security key | |
| CN104125230A (en) | Short message authentication service system and authentication method | |
| CN110086818B (en) | Cloud file secure storage system and access control method | |
| CN110572392A (en) | Identity authentication method based on HyperLegger network | |
| WO2017020669A1 (en) | Method and device for authenticating identity of node in distributed system | |
| CN106487505A (en) | Key management, acquisition methods and relevant apparatus and system | |
| CN110266653A (en) | A kind of method for authenticating, system and terminal device |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| PB01 | Publication | ||
| PB01 | Publication | ||
| SE01 | Entry into force of request for substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| GR01 | Patent grant | ||
| GR01 | Patent grant |