CN108667526B - Multi-service safe transmission method, device and equipment in optical transport network - Google Patents

Multi-service safe transmission method, device and equipment in optical transport network Download PDF

Info

Publication number
CN108667526B
CN108667526B CN201810208771.8A CN201810208771A CN108667526B CN 108667526 B CN108667526 B CN 108667526B CN 201810208771 A CN201810208771 A CN 201810208771A CN 108667526 B CN108667526 B CN 108667526B
Authority
CN
China
Prior art keywords
quantum key
data unit
oduk
optical
services
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Active
Application number
CN201810208771.8A
Other languages
Chinese (zh)
Other versions
CN108667526A (en
Inventor
张�杰
曹原
吴文宣
李宏发
郁小松
赵永利
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Beijing University of Posts and Telecommunications
State Grid Fujian Electric Power Co Ltd
Original Assignee
Beijing University of Posts and Telecommunications
State Grid Fujian Electric Power Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Beijing University of Posts and Telecommunications, State Grid Fujian Electric Power Co Ltd filed Critical Beijing University of Posts and Telecommunications
Priority to CN201810208771.8A priority Critical patent/CN108667526B/en
Publication of CN108667526A publication Critical patent/CN108667526A/en
Application granted granted Critical
Publication of CN108667526B publication Critical patent/CN108667526B/en
Active legal-status Critical Current
Anticipated expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04BTRANSMISSION
    • H04B10/00Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
    • H04B10/70Photonic quantum communication
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0852Quantum cryptography
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • YGENERAL TAGGING OF NEW TECHNOLOGICAL DEVELOPMENTS; GENERAL TAGGING OF CROSS-SECTIONAL TECHNOLOGIES SPANNING OVER SEVERAL SECTIONS OF THE IPC; TECHNICAL SUBJECTS COVERED BY FORMER USPC CROSS-REFERENCE ART COLLECTIONS [XRACs] AND DIGESTS
    • Y02TECHNOLOGIES OR APPLICATIONS FOR MITIGATION OR ADAPTATION AGAINST CLIMATE CHANGE
    • Y02DCLIMATE CHANGE MITIGATION TECHNOLOGIES IN INFORMATION AND COMMUNICATION TECHNOLOGIES [ICT], I.E. INFORMATION AND COMMUNICATION TECHNOLOGIES AIMING AT THE REDUCTION OF THEIR OWN ENERGY USE
    • Y02D30/00Reducing energy consumption in communication networks
    • Y02D30/50Reducing energy consumption in communication networks in wire-line communication networks, e.g. low power modes or reduced link rate

Abstract

The invention provides a method, a device and equipment for safely transmitting multiple services in an Optical Transport Network (OTN). The method comprises the following steps: after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk; and multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services. Aiming at the defect that the utilization rate of quantum key resources is low when the conventional quantum key distribution-based service secure communication method is directly applied to the realization of the complex and diversified service secure transmission in the OTN, the invention uniformly encrypts a plurality of services borne by the same ODUk, realizes the secure transmission of multiple services, and is favorable for saving the quantum key resources and improving the utilization rate of the quantum key resources and simultaneously finishing the secure transmission of the multiple services in the OTN.

Description

Multi-service safe transmission method, device and equipment in optical transport network
Technical Field
The present invention relates to the field of communications technologies, and in particular, to a method, an apparatus, and a device for securely transmitting multiple services in an optical transport network.
Background
An Optical Transport Network (OTN) may carry various services, such as SDH/SONET, ethernet, ATM, IP, etc., and the OTN may provide an "end-to-end" reliable Optical channel according to different service attributes to ensure the service quality of various services. Fig. 1 is a schematic diagram of a layered structure of an OTN in the prior art, which can be divided into an optical access layer (OCh), an optical multiplexing section layer (OMS) and an optical transport section layer (OTS). The OCh layer mainly comprises an optical path payload unit (OPUk), an optical path data unit (ODUk) and an optical path transport unit (OTUk), wherein k represents different transmission rates according to different values. The OTN accommodates various service signals at a wavelength rate and a sub-wavelength rate, the various service signals may be mapped into the ODUk through the OPUk, and the ODUk may be directly mapped into the OTUk or multiplexed into an ODUk with a higher rate and then mapped into the OTUk, so as to improve transmission efficiency and reduce transmission cost. In the OTN, a wavelength channel is used for bearing the OTUk, and the end-to-end transmission is realized by adopting a transparent transmission mode.
With the development of big data, the security requirement of the OTN network is more and more urgent. The large amount of data collection means that an attacker can find an attack object more easily, and the data with massive user information resources and sensitive information is stolen to cause loss which is difficult to measure. With the continuous evolution of OTNs, the information security risks faced by various services carried by OTNs are increasing in types, expanding in range, and deep in hierarchy. Most of the existing OTNs are in an 'unprotected' state, and few of the existing OTNs utilize a classical public key cryptography mechanism to realize safe and confidential transmission of services, but the safe and confidential means based on the classical public key cryptography seriously depends on computing processing capacity, and the safety of key distribution cannot be ensured.
Quantum Key Distribution (QKD) generates and distributes Quantum keys based on Quantum information theory, has the advantage of 'unconditional security' in theory, and can distribute Quantum keys for various services in the OTN by using the QKD to encrypt the services, thereby realizing secure transmission of multiple services. However, in the existing service secure communication method based on QKD, different quantum keys are separately distributed to various services by using QKD, and encryption and decryption are performed at a source node and a destination node of each service, so that the method is directly applied to realizing the secure transmission of complex and diverse services in OTN, which easily causes the shortage of limited and precious quantum key resources, and causes the low utilization rate of the quantum key resources.
Disclosure of Invention
The present invention provides a method, apparatus and device for secure transmission of multiple services in an optical transport network that overcomes or at least partially solves the above mentioned problems.
According to an aspect of the present invention, there is provided a method for securely transmitting multiple services in an optical transport network, including:
after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk;
and multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
According to another aspect of the present invention, there is also provided a method for securely transmitting multiple services in an optical transport network, including:
after demapping the received optical path transport unit OTUk, quantum key decryption is performed on the obtained encrypted optical path data unit ODUk;
and converting the decrypted optical path data unit ODUk into a plurality of services through demapping so as to realize unified decryption of the services.
According to another aspect of the present invention, there is also provided a secure transmission apparatus for multiple services in an optical transport network, including:
the quantum key encryption module is used for carrying out quantum key encryption on an optical channel data unit ODUk after a plurality of services are multiplexed and mapped into the optical channel data unit ODUk; and
and a multi-service transport module, configured to multiplex and map the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
According to another aspect of the present invention, there is also provided a secure transmission apparatus for multiple services in an optical transport network, including:
the quantum key decryption module is used for performing quantum key decryption on the obtained encrypted optical channel data unit ODUk after the optical channel transport unit OTUk is subjected to demapping; and
and the multi-service mapping module is configured to convert the decrypted optical channel data unit ODUk into a plurality of services through demapping, so as to implement unified decryption on the plurality of services.
According to another aspect of the present invention, there is also provided an optical transport network encryption transmission apparatus, including:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the method for transmitting a secure transmission method of multiple services in an optical transport network according to the present invention and the method of any optional embodiment thereof.
According to another aspect of the present invention, there is also provided an optical transport network decryption receiving apparatus, including:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, and the processor calls the program instructions to execute the method at the receiving end of the multi-service secure transmission method in the optical transport network and the method in any optional embodiment of the invention.
The invention provides a safe transmission method of multiple services in an optical transport network, aiming at the defect that the quantum key resource utilization rate is low when the existing QKD-based service safe communication method is directly applied to the realization of the safe transmission of complex and diverse services in an OTN, the invention uniformly encrypts a plurality of services borne by the same ODUk to realize the safe transmission of the multiple services, and is beneficial to saving the quantum key resources and improving the quantum key resource utilization rate and simultaneously finishing the safe transmission of the multiple services in the OTN.
Drawings
FIG. 1 is a schematic representation of a prior art OTN layered structure;
FIG. 2 is a diagram illustrating a process of secure communication of a QKD-based service in the prior art;
fig. 3 is a schematic flow chart of a method for transmitting a multi-service secure transmission method in an optical transport network according to an embodiment of the present invention;
FIG. 4 is a schematic diagram of an OTN layered structure with OEUk added in the embodiment of the present invention;
fig. 5 is a schematic flow chart of a receiving end method of a multi-service secure transmission method in an optical transport network according to an embodiment of the present invention;
fig. 6 is a schematic diagram of a multi-service secure transmission method and apparatus in an OTN according to an embodiment of the present invention;
fig. 7 is a schematic diagram of a framework of an optical transport network encryption transmitting apparatus according to an embodiment of the present invention;
fig. 8 is a schematic diagram of a framework of an otn decryption receiving apparatus according to an embodiment of the present invention.
Detailed Description
The following detailed description of embodiments of the present invention is provided in connection with the accompanying drawings and examples. The following examples are intended to illustrate the invention but are not intended to limit the scope of the invention.
Fig. 2 is a schematic diagram of a process of secure communication of a prior art QKD-based service, and referring to fig. 2, the process of secure communication of the prior art QKD-based service is as follows:
the safety of the QKD is ensured by the basic law of quantum mechanics of the theory of measurement collapse, the principle of inaccuracy of measurement of Heisenberg and the quantum unclonable law, and the QKD has the advantage of 'unconditional safety' in theory. As shown in fig. 2, both QKD terminals bear quantum optical signals and synchronous optical signals through a quantum channel, and complete distribution of quantum keys by performing information negotiation such as basis vector comparison, error code check, and the like through a negotiation channel, and finally the quantum keys generated by both QKD terminals are stored in the encryption terminals of corresponding nodes. When a plurality of services reach a source node, an encryption terminal corresponding to each service source and destination node independently distributes different quantum keys for each service and encrypts the services by combining a symmetric encryption algorithm, if the encrypted services are borne by the OTN, the encrypted services are all converged on a wavelength channel, and after the services reach the corresponding destination nodes, the services are decrypted by using the different quantum keys.
Due to the limitation of the current technical level, the quantum key generation rate in the QKD process is low, the encryption efficiency and the practicability of the AES symmetric encryption algorithm are high, and the security of the encrypted service can meet the current security requirement. The key length in the AES algorithm can be any one of 128bit, 192bit and 256bit, the larger the key length is, the larger the difficulty of brute force cracking after the service encryption is, and the higher the service security level is; meanwhile, in order to improve the cracking difficulty, the key in the AES algorithm can be replaced regularly according to the updating period.
Most of the existing OTNs are in an 'unprotected' state, and few of the existing OTNs utilize a classical public key cryptography mechanism to realize safe and confidential transmission of services, but the safe and confidential means based on the classical public key cryptography seriously depends on computing processing capacity, and the safety of key distribution cannot be ensured. The QKD can ensure the unconditional safety of key distribution theoretically, the existing QKD-based business safety communication method is to independently distribute different quantum keys for various businesses by utilizing the QKD, and encrypt and decrypt at the source and destination nodes of each business, and the method is directly applied to realizing the shortage of limited and precious quantum key resources easily caused by the safe transmission of complex and various businesses in the OTN, so that the utilization rate of the quantum key resources is lower, the waiting time delay and the blocking rate of multi-business safety communication are greatly increased, and the performance of the OTN is seriously influenced.
The embodiment of the invention provides a secure transmission method of multiple services in an optical transport network aiming at the defects of the prior art and the complex and various service characteristics borne by an OTN (optical transport network). The core is that quantum keys provided by QKD are combined with Advanced Encryption Standard (AES) algorithm, and an optical path Encryption unit (OEUk) is added between an optical path data unit (ODUk) and an optical path transmission unit (OTUk) of the OTN to carry out unified Encryption and decryption on ODUk bearing services so as to realize secure transmission of the multiple services.
Fig. 3 is a schematic flow chart of a method for transmitting a multi-service secure transmission method in an optical transport network according to an embodiment of the present invention, where the method for transmitting a multi-service secure transmission method in an optical transport network shown in fig. 3 is a method for transmitting a terminal, and includes:
s100, after a plurality of services are multiplexed and mapped into an optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk;
in the embodiment of the invention, after each service is mapped into an ODUk in a multiplexing manner and before the ODUk is mapped into the OTUk, quantum keys are distributed to the ODUk bearing a plurality of services to finish the encryption of the ODUk, so that the multi-service secure transmission is realized.
S101, map the encrypted optical channel data unit ODUk multiplex into the optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
Aiming at the defect that the quantum key resource utilization rate is low when the existing QKD-based service secure communication method is directly applied to the realization of the secure transmission of complex and various services in the OTN, the embodiment of the invention uniformly encrypts a plurality of services borne by the same ODUk to realize the secure transmission of multiple services, thereby being beneficial to saving the quantum key resource, improving the quantum key resource utilization rate and simultaneously finishing the secure transmission of the multiple services in the OTN.
In an optional embodiment, in step S100, after the multiple service multiplexes are mapped into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk, where before, the method further includes:
adding an optical path encryption unit OEUk between an optical path data unit ODUk and an optical path transmission unit OTUk of an optical path layer OCh;
correspondingly, after the multiple services are multiplexed and mapped into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk, which specifically includes: after multiplexing a plurality of services into the optical channel data unit ODUk, an optical channel encryption unit OEUk is used to perform quantum key encryption on the optical channel data unit ODUk.
The optical channel encryption unit OEUk according to the embodiment of the present invention is configured to perform quantum key encryption on the optical channel data unit ODUk after multiplexing a plurality of services into the optical channel data unit ODUk, and map the encrypted OEUk into the optical channel transport unit OTUk.
Fig. 4 is a schematic diagram of an OTN layered structure with an OEUk added in the embodiment of the present invention, please refer to fig. 4, where an optical path encryption unit OEUk is added between an ODUk and an OTUk of an OCh layer in an OTN in the embodiment of the present invention, so as to implement secure transmission of multiple services in the OTN.
Based on the foregoing embodiment, in step S100, after a plurality of service multiplexes are mapped into an optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk specifically includes:
s100.1, after a plurality of services borne by the optical channel data unit ODUk reach a source node, obtaining a quantum key length of each service request and a quantum key update period of each service request;
specifically, after multiple services borne by the same ODUk in the OTN arrive at a certain node, the quantum key length and the quantum key update period of each service request are recorded, and a source node and a destination node of the ODUk bearer service are simultaneously recorded, and when the source node and the destination node are used for data transmission, the ODUk bearer service is sent from the source node to the destination node.
S100.2, allocating a target quantum key to the optical channel data unit ODUk according to the maximum length in the quantum key length of each service request and the minimum period in the quantum key update period of each service request;
specifically, before the service of the OTN arrives, a quantum key may be generated through negotiation of the QKD terminal and stored in a key storage unit of a corresponding node; the key storage unit may be implemented in the optical path encryption unit OEUk. Searching a key storage unit corresponding to a source node and a destination node of an ODUk bearer service; inquiring a maximum quantum key length request and a minimum quantum key updating period request of a plurality of services borne by the ODUk; and requesting to distribute the quantum key for the ODUk according to the maximum quantum key length and the minimum quantum key updating period.
S100.3, after the multiple services are multiplexed into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk by using the target quantum key.
Specifically, a plurality of service signals at a source node are mapped into an OEUk from an ODUk through an OTN mapping process; the ODUk is then encrypted using the quantum key and AES algorithm assigned at step S100.2.
The embodiment of the invention utilizes an optical path encryption unit OEUk added between the ODUk and the OTUk to carry out unified encryption on a plurality of services borne by the ODUk. Because the quantum key length and the quantum key update cycle of each service request are not necessarily the same, the embodiment of the present invention uses all the quantum key lengths and the quantum key update cycles of all the services, the maximum quantum key length and the minimum quantum key update cycle request as the uniformly encrypted quantum key length and update cycle, so that the quantum key requirements of multiple services borne by the ODUk can be satisfied.
In an optional embodiment, in step S101, the multiplexing and mapping the encrypted optical channel data unit ODUk into the optical channel transport unit OTUk for transport specifically includes:
multiplexing the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk;
acquiring a wavelength channel of the optical path transport unit OTUk, and transmitting a plurality of services carried by the optical path data unit ODUk to a destination node by using the wavelength channel.
Specifically, the embodiment of the present invention performs quantum key encryption on the ODUk by using the OEUk, then maps the OEUk into the OTUk, and searches for a wavelength channel carrying the OTUk; the OTUk is transmitted to the corresponding sink node using a wavelength channel.
At a receiving end, demapping the OTUk into an OEUk, and decrypting the ODUk by using the quantum key and the AES algorithm distributed in the step S100.2; and the OEUk is demapped into the ODUk, and the ODUk is converted into the original multiple service signals through the demapping process of the OTN, so that the secure transmission of the multiple services on the corresponding ODUk is completed.
Fig. 5 is a schematic flow chart of a receiving end method of a secure transmission method of multiple services in an optical transport network according to an embodiment of the present invention, where the secure transmission method of multiple services in an optical transport network shown in fig. 5 is a receiving end method, and includes:
s200, after demapping the optical path transport unit OTUk, performing quantum key decryption on the obtained encrypted optical path data unit ODUk;
specifically, an optical path encryption unit OEUk is added between an optical path data unit ODUk and an optical path transport unit OTUk of an optical path layer OCh at an OTN receiving end, and quantum key decryption of the ODUk is realized symmetrically to the transmitting end. Since the ODUk carries a plurality of services, the receiving end decrypts the plurality of services uniformly through one decryption process.
Specifically, in the optical path encryption unit OEUk according to the embodiment of the present invention, the encryption function is implemented at the transmitting end, and the decryption function is implemented at the receiving end, that is, the optical path encryption unit OEUk has the encryption and decryption functions.
S201, convert the decrypted optical channel data unit ODUk into a plurality of services through demapping, so as to implement unified decryption on the plurality of services.
Based on the above embodiment, after demapping the encrypted optical channel data unit ODUk received by the optical channel transport unit OTUk, performing quantum key decryption on the optical channel data unit ODUk specifically includes:
quantum key decryption is performed on the optical path data unit ODUk by using a target quantum key which is the same as the target quantum key sent, where the target quantum key is: and distributing the target quantum key according to the maximum length of the quantum key lengths of the multiple service requests borne by the optical path data unit ODUk and the minimum period of the quantum key update period.
The embodiment of the invention provides a multi-service secure transmission method in an OTN aiming at the defect that the quantum key resource utilization rate is low when the existing QKD-based service secure communication method is directly applied to the realization of the secure transmission of complex and various services in the OTN, and the method can be applied to the services borne by all ODUk in the OTN to realize the secure transmission of the OTN whole-network services.
Fig. 6 is a schematic diagram of a secure transmission method and apparatus for multiple services in an OTN according to an embodiment of the present invention, and includes a source node a and a sink node C.
Referring to fig. 6, ATM and IP traffic carried by the same ODUkWhen the node reaches a source node A, a service recording unit records a destination node of the service as a node C and records quantum key length requests of ATM and IP services as L respectively1And L2(L1<L2) The quantum key updating period requests are respectively T1And T2(T1<T2). The control module searches a key storage unit corresponding to the node C and the node A; the service query unit queries that the maximum quantum key length request of ATM and IP services borne by the ODUk is L2Minimum quantum key update period request is T1(ii) a The control module controls the key storage unit of the node A and the key storage unit of the node C according to the quantum key length L2And quantum key update period T1Quantum key K is assigned to ODUk. ATM and IP service signals at a source node are mapped into an OEUk from an ODUk through the OTN mapping process; the encryption/decryption unit encrypts the ODUk by using a quantum key K and an AES algorithm; the OEUk is mapped into the OTUk, and a wavelength channel W bearing the OTUk is searched; transmitting the OTUk to a node C by using a wavelength channel W; the OTUk is demapped into an OEUk, and the encryption/decryption unit decrypts the ODUk by using a quantum key K and an AES algorithm; and the OEUk is demapped into an ODUk, the ODUk is converted into original ATM and IP service signals through the demapping process of the OTN, and finally the secure transmission of the multiple services on the corresponding ODUk is completed.
The embodiment of the invention provides a multi-service secure transmission method in an OTN, which utilizes a quantum key provided by QKD to combine with an AES algorithm to add an OEUk between ODUk and OTUk of the OTN to carry out unified encryption and decryption on ODUk bearing service so as to realize secure transmission of the multi-service, is favorable for saving quantum key resources and improving the utilization rate of the quantum key resources and simultaneously completing secure transmission of the multi-service in the OTN, and solves the problem of low utilization rate of the quantum key resources caused by the fact that the existing QKD-based service secure communication method is directly applied to the realization of the secure transmission of complex and various services in the OTN.
An embodiment of the present invention further provides a device for safely transmitting multiple services in an optical transport network, including:
the quantum key encryption module is used for carrying out quantum key encryption on an optical channel data unit ODUk after a plurality of services are multiplexed and mapped into the optical channel data unit ODUk; and
and a multi-service transport module, configured to multiplex and map the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
The apparatus of the embodiment of the present invention may be used to implement the technical solution of the embodiment of the method for securely transmitting a sending end of multiple services in an optical transport network shown in fig. 3, and the implementation principle and the technical effect are similar, which are not described herein again.
An embodiment of the present invention further provides a device for safely transmitting multiple services in an optical transport network, including:
the quantum key decryption module is used for performing quantum key decryption on the obtained encrypted optical channel data unit ODUk after the optical channel transport unit OTUk is subjected to demapping; and
and the multi-service mapping module is configured to convert the decrypted optical channel data unit ODUk into a plurality of services through demapping, so as to implement unified decryption on the plurality of services.
The apparatus of the embodiment of the present invention may be used to implement the technical solution of the embodiment of the method for securely transmitting a receiving end of multiple services in an optical transport network shown in fig. 5, and the implementation principle and the technical effect are similar, which are not described herein again.
Fig. 7 is a schematic diagram illustrating a framework of an encryption transmitting apparatus of an optical transport network according to an embodiment of the present invention.
Referring to fig. 7, the apparatus includes: a processor (processor)701, a memory (memory)702, and a bus 703; the processor 701 and the memory 702 complete communication with each other through the bus 703;
the processor 701 is configured to call the program instructions in the memory 702 to execute the methods provided by the above-mentioned method embodiments, for example, including: after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk; and multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
Another embodiment of the present invention discloses a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-mentioned method embodiments, for example, including: after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk; and multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
Another embodiment of the invention provides a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform a method provided by the above method embodiments, for example, comprising: after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk; and multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption of the multiple services.
Fig. 8 is a schematic diagram showing a framework of an optical transport network decrypting and receiving device according to an embodiment of the present invention.
Referring to fig. 8, the apparatus includes: a processor (processor)801, a memory (memory)802, and a bus 803; wherein, the processor 801 and the memory 802 complete communication with each other through the bus 803;
the processor 801 is configured to call program instructions in the memory 802 to perform the methods provided by the above-described method embodiments, including for example: after demapping the received optical path transport unit OTUk, quantum key decryption is performed on the obtained encrypted optical path data unit ODUk; and converting the decrypted optical path data unit ODUk into a plurality of services through demapping so as to realize unified decryption of the services.
Another embodiment of the present invention discloses a computer program product comprising a computer program stored on a non-transitory computer-readable storage medium, the computer program comprising program instructions which, when executed by a computer, enable the computer to perform the methods provided by the above-mentioned method embodiments, for example, including: after demapping the received optical path transport unit OTUk, quantum key decryption is performed on the obtained encrypted optical path data unit ODUk; and converting the decrypted optical path data unit ODUk into a plurality of services through demapping so as to realize unified decryption of the services.
Another embodiment of the invention provides a non-transitory computer-readable storage medium storing computer instructions that cause the computer to perform a method provided by the above method embodiments, for example, comprising: after demapping the received optical path transport unit OTUk, quantum key decryption is performed on the obtained encrypted optical path data unit ODUk; and converting the decrypted optical path data unit ODUk into a plurality of services through demapping so as to realize unified decryption of the services.
Those of ordinary skill in the art will understand that: the implementation of the above-described apparatus embodiments or method embodiments is merely illustrative, wherein the processor and the memory may or may not be physically separate components, i.e. may be located in one place, or may be distributed over a plurality of network elements. Some or all of the modules may be selected according to actual needs to achieve the purpose of the solution of the present embodiment. One of ordinary skill in the art can understand and implement it without inventive effort.
Through the above description of the embodiments, those skilled in the art will clearly understand that each embodiment can be implemented by software plus a necessary general hardware platform, and certainly can also be implemented by hardware. With this understanding in mind, the above-described technical solutions may be embodied in the form of a software product, which can be stored in a computer-readable storage medium such as ROM/RAM, magnetic disk, optical disk, etc., and includes instructions for causing a computer device (which may be a personal computer, a server, or a network device, etc.) to execute the methods described in the embodiments or some parts of the embodiments.
Finally, it should be noted that: the above examples are only intended to illustrate the technical solution of the present invention, but not to limit it; although the present invention has been described in detail with reference to the foregoing embodiments, it will be understood by those of ordinary skill in the art that: the technical solutions described in the foregoing embodiments may still be modified, or some technical features may be equivalently replaced; and such modifications or substitutions do not depart from the spirit and scope of the corresponding technical solutions of the embodiments of the present invention.

Claims (8)

1. A method for securely transmitting multiple services in an optical transport network, comprising:
after a plurality of services are multiplexed and mapped into an optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk;
multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport to implement unified encryption of the multiple services;
after the multiple services are multiplexed and mapped into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk specifically includes:
after a plurality of services borne by the optical path data unit ODUk reach a source node, acquiring a quantum key length of each service request and a quantum key update period of each service request;
allocating a target quantum key to the optical channel data unit ODUk according to the maximum length in the quantum key length of each service request and the minimum period in the quantum key update period of each service request;
and after a plurality of services are multiplexed into the optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk by using the target quantum key.
2. The method according to claim 1, wherein after the multiple service multiplexes are mapped into an optical channel data unit ODUk, the quantum key encryption is performed on the optical channel data unit ODUk, and before the quantum key encryption, the method further includes:
adding an optical path encryption unit OEUk between an optical path data unit ODUk and an optical path transmission unit OTUk of an optical path layer OCh;
correspondingly, after the multiple services are multiplexed and mapped into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk, which specifically includes: after multiplexing a plurality of services into the optical channel data unit ODUk, an optical channel encryption unit OEUk is used to perform quantum key encryption on the optical channel data unit ODUk.
3. The method according to claim 1, wherein the multiplexing and mapping the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport specifically includes:
multiplexing the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk;
acquiring a wavelength channel of the optical path transport unit OTUk, and transmitting a plurality of services carried by the optical path data unit ODUk to a destination node by using the wavelength channel.
4. A method for securely transmitting multiple services in an optical transport network, comprising:
after demapping the received optical path transport unit OTUk, quantum key decryption is performed on the obtained encrypted optical path data unit ODUk;
the decrypted optical channel data unit ODUk is converted into a plurality of services through demapping so as to realize unified decryption of the services;
after demapping the optical path transport unit OTUk, the quantum key decryption is performed on the obtained encrypted optical path data unit ODUk, which specifically includes:
quantum key decryption is performed on the optical path data unit ODUk by using a target quantum key which is the same as the target quantum key sent, where the target quantum key is: and distributing the target quantum key according to the maximum length of the quantum key lengths of the multiple service requests borne by the optical path data unit ODUk and the minimum period of the quantum key update period.
5. A secure transport apparatus for multiple services in an optical transport network, comprising:
the quantum key encryption module is used for carrying out quantum key encryption on an optical channel data unit ODUk after a plurality of services are multiplexed and mapped into the optical channel data unit ODUk; and
a multi-service transport module, configured to multiplex and map the encrypted optical channel data unit ODUk into an optical channel transport unit OTUk for transport, so as to implement unified encryption on the multiple services;
after the multiple services are multiplexed and mapped into the optical channel data unit ODUk, performing quantum key encryption on the optical channel data unit ODUk specifically includes:
after a plurality of services borne by the optical path data unit ODUk reach a source node, acquiring a quantum key length of each service request and a quantum key update period of each service request;
allocating a target quantum key to the optical channel data unit ODUk according to the maximum length in the quantum key length of each service request and the minimum period in the quantum key update period of each service request;
and after a plurality of services are multiplexed into the optical path data unit ODUk, quantum key encryption is carried out on the optical path data unit ODUk by using the target quantum key.
6. A secure transport apparatus for multiple services in an optical transport network, comprising:
the quantum key decryption module is used for performing quantum key decryption on the obtained encrypted optical channel data unit ODUk after the optical channel transport unit OTUk is subjected to demapping; and
a multi-service mapping module, configured to convert the decrypted optical channel data unit ODUk into multiple services through demapping, so as to implement unified decryption on the multiple services;
after demapping the optical path transport unit OTUk, the quantum key decryption is performed on the obtained encrypted optical path data unit ODUk, which specifically includes:
quantum key decryption is performed on the optical path data unit ODUk by using a target quantum key which is the same as the target quantum key sent, where the target quantum key is: and distributing the target quantum key according to the maximum length of the quantum key lengths of the multiple service requests borne by the optical path data unit ODUk and the minimum period of the quantum key update period.
7. An encryption transmission apparatus for an optical transport network, comprising:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of any of claims 1 to 3.
8. An otn decryption receiving apparatus, comprising:
at least one processor; and
at least one memory communicatively coupled to the processor, wherein:
the memory stores program instructions executable by the processor, the processor invoking the program instructions to perform the method of claim 4.
CN201810208771.8A 2018-03-14 2018-03-14 Multi-service safe transmission method, device and equipment in optical transport network Active CN108667526B (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201810208771.8A CN108667526B (en) 2018-03-14 2018-03-14 Multi-service safe transmission method, device and equipment in optical transport network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201810208771.8A CN108667526B (en) 2018-03-14 2018-03-14 Multi-service safe transmission method, device and equipment in optical transport network

Publications (2)

Publication Number Publication Date
CN108667526A CN108667526A (en) 2018-10-16
CN108667526B true CN108667526B (en) 2020-06-19

Family

ID=63785111

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201810208771.8A Active CN108667526B (en) 2018-03-14 2018-03-14 Multi-service safe transmission method, device and equipment in optical transport network

Country Status (1)

Country Link
CN (1) CN108667526B (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113612612A (en) * 2021-09-30 2021-11-05 阿里云计算有限公司 Data encryption transmission method, system, equipment and storage medium
CN114071264B (en) * 2021-11-12 2024-01-23 国网上海市电力公司 Communication method of network service on endogenous safe optical network and endogenous safe optical network

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136907A (en) * 2010-01-25 2011-07-27 中兴通讯股份有限公司 Multicast service encryption method and device for passive optical network system
CN102868524A (en) * 2012-09-28 2013-01-09 电子科技大学 DPS QKD (differential phase shift quantum key distribution) encryption system suitable for GPON (gigabit passive optical network) system
CN203251308U (en) * 2012-12-07 2013-10-23 安徽问天量子科技股份有限公司 Passive optical network
CN106850204A (en) * 2017-02-27 2017-06-13 北京邮电大学 Quantum key distribution method and system
CN106878006A (en) * 2016-12-31 2017-06-20 北京邮电大学 Quantum key channel transmission method and system based on optical time division multiplexing
CN107204812A (en) * 2016-03-18 2017-09-26 国科量子通信网络有限公司 Quantum key distribution and the method and device of passive optical access network fusion
CN107528639A (en) * 2017-09-06 2017-12-29 安徽问天量子科技股份有限公司 Quantum light and classical light common fine transmitting device and its transmission method

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8311221B2 (en) * 2008-01-15 2012-11-13 At&T Intellectual Property Ii, L.P. Architecture for reconfigurable quantum key distribution networks based on entangled photons directed by a wavelength selective switch
CN103023579A (en) * 2012-12-07 2013-04-03 安徽问天量子科技股份有限公司 Method for conducting quantum secret key distribution on passive optical network and passive optical network
GB2534917B (en) * 2015-02-05 2017-09-27 Toshiba Res Europe Ltd A quantum communication system and a quantum communication method

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102136907A (en) * 2010-01-25 2011-07-27 中兴通讯股份有限公司 Multicast service encryption method and device for passive optical network system
CN102868524A (en) * 2012-09-28 2013-01-09 电子科技大学 DPS QKD (differential phase shift quantum key distribution) encryption system suitable for GPON (gigabit passive optical network) system
CN203251308U (en) * 2012-12-07 2013-10-23 安徽问天量子科技股份有限公司 Passive optical network
CN107204812A (en) * 2016-03-18 2017-09-26 国科量子通信网络有限公司 Quantum key distribution and the method and device of passive optical access network fusion
CN106878006A (en) * 2016-12-31 2017-06-20 北京邮电大学 Quantum key channel transmission method and system based on optical time division multiplexing
CN106850204A (en) * 2017-02-27 2017-06-13 北京邮电大学 Quantum key distribution method and system
CN107528639A (en) * 2017-09-06 2017-12-29 安徽问天量子科技股份有限公司 Quantum light and classical light common fine transmitting device and its transmission method

Also Published As

Publication number Publication date
CN108667526A (en) 2018-10-16

Similar Documents

Publication Publication Date Title
CN107508671B (en) Business communication method and device based on quantum key distribution
WO2016184240A1 (en) Method for implementing data transmission and optical channel transmission device
US9306734B2 (en) Communication device, key generating device, and computer readable medium
US11212265B2 (en) Perfect forward secrecy (PFS) protected media access control security (MACSEC) key distribution
CN104918243A (en) Mobile terminal secrecy system and method based on quantum true random number
WO2018086333A1 (en) Encryption and decryption method and device
Tajima et al. Quantum key distribution network for multiple applications
CN108667526B (en) Multi-service safe transmission method, device and equipment in optical transport network
CN112769550A (en) Load balancing quantum key resource distribution system facing data center
CN112737776B (en) Data center-oriented quantum key resource allocation method for load balancing
CN113595735A (en) Supervised privacy protection block chain crossing system based on CP-ABE
WO2023273712A1 (en) Encryption transmission method and device
Mehic et al. Quantum cryptography in 5g networks: A comprehensive overview
EP4231582A1 (en) Method and device for quantum key distribution
EP4060931A1 (en) System and method for optimizing the routing of quantum key distribution (qkd) key material in a network
CN111953487B (en) Key management system
Zhu et al. An edge re‐encryption‐based access control mechanism in NDN
CN218336048U (en) Secret key management dynamic route generation network architecture for quantum communication
Zhang et al. Multi-service Provisioning over Endogenous Secure Optical Transport Networks
Zhu et al. A built-in hash permutation assisted cross-layer secure transport in end-to-end flexe over wdm networks
Sharma et al. Priority order-based key distribution in QKD-secured optical networks
Liu et al. An ICN-based Secure Task Cooperation Scheme in Challenging Wireless Edge Networks
Zhao et al. Software defined optical networks secured by quantum key distribution (QKD)
US11652620B2 (en) System and method for proactively buffering quantum key distribution (QKD) key material
Gu et al. A unified security framework for WiMAX over EPON access networks

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination
GR01 Patent grant
GR01 Patent grant