JP2015126320A - Communication system, transmitter, receiver and data transmission method for communication system - Google Patents

Abstract

PROBLEM TO BE SOLVED: To improve a data transmission throughput as compared to before.SOLUTION: A communication system includes a first communication device and a second communication device for performing data transmission between with the first communication device. The first communication device includes: an encryption unit for encrypting data to be transmitted to the second communication device, on the basis of first information indicating encryption setting exchanged with the second communication device; and a control unit for transmitting data, encrypted without adding the first information, to the second communication device. The second communication device includes: a receiver unit for receiving data from the first communication device; and a decryption unit for decrypting the data received from the first communication device.

Description

  The present invention relates to a communication system, a transmission device, a reception device, and a data transmission method of the communication system.

  For example, a PON (Passive Optical Network) system is used to connect a mobile terminal device such as a smart phone and a tablet terminal used indoors or a computer device installed indoors to a network. In the PON system, an ONU (Optical Network Unit) arranged in each room and an OLT (Optical Line Terminal) arranged on the station side are connected by an optical line.

  For example, when transmitting data from the OLT to one ONU, the OLT transmits a frame storing the data to all the ONUs by broadcast. Therefore, a technique for encrypting the data and maintaining the confidentiality of the data is proposed. (See Patent Document 1 etc.).

JP 2007-228292 A

  However, in the prior art, since the information indicating the encryption key used for encryption is added to the frame together with the encrypted data, the amount of data that can be stored in the frame is reduced by the amount of information added for encryption, There is a problem that the throughput of data transmission is reduced.

  It is an object of the communication system, the transmission device, the reception device, and the data transmission method of the communication system disclosed in the present disclosure to be able to improve the data transmission throughput as compared with the related art.

  A communication system according to one aspect includes a first communication device and a second communication device that transmits data between the first communication device, and the first communication device is exchanged with the second communication device. Based on the first information indicating the encryption setting, the encryption unit for encrypting the data to be transmitted to the second communication device, and the encrypted data without adding the first information are transmitted to the second communication device. The second communication device receives the data from the first communication device, and the decoding unit decodes the data received from the first communication device based on the first information. And having.

  According to another aspect, a transmission device includes: an encryption unit that encrypts data to be transmitted to a reception device based on first information indicating encryption settings exchanged with the reception device that receives data; And a control unit that transmits the encrypted data to the receiving device without adding information.

  A receiving device according to another aspect is received by a receiving unit based on first information indicating a setting of encryption exchanged between a receiving unit that receives data from a transmitting device that transmits data and the transmitting device. A decryption unit that decrypts encrypted data to which no information is added.

  A data transmission method for a communication system according to another aspect is a data transmission method for a communication system including a first communication device and a second communication device that transmits data between the first communication device and the second communication device. The data transmitted to the second communication device is encrypted by the first communication device based on the first information indicating the encryption setting exchanged between the first communication device, and the encrypted data without adding the first information is transmitted to the second communication device. The data is transmitted to the apparatus by the first communication apparatus, and the data received from the first communication apparatus is decoded by the second communication apparatus based on the first information.

  The communication system, the transmission device, the reception device, and the data transmission method of the communication system disclosed herein can improve the data transmission throughput as compared with the conventional one.

It is a figure which shows one Embodiment of a communication system, a transmitter, and a receiver. It is a figure which shows the flame | frame in which the encrypted data based on IEEE802.3ah is stored as an example of a comparison. It is a figure which shows the example of the flame | frame of the communication system shown in FIG. It is a figure which shows the example of the transmission process in the communication system shown in FIG. It is a figure which shows another embodiment of a communication system, a transmitter, and a receiver. It is a figure which shows an example of OLT shown in FIG. It is a figure which shows an example of ONU shown in FIG. It is a figure which shows the example of the setting table shown in FIG. It is a figure which shows the example of the transmission process in the communication system shown in FIG. It is a figure which shows the example of the transmission process in the communication system shown in FIG.

  Hereinafter, embodiments will be described with reference to the drawings.

  FIG. 1 shows an embodiment of a communication system, a transmission device, and a reception device.

  A communication system 100 illustrated in FIG. 1 is an EPON (Ethernet (registered trademark) Passive Optical Network) system including a transmission path 30 such as an optical fiber that connects the OLT 10, the ONU 20, and the OLT 10 and the ONU 20, for example. In the communication system 100, the OLT 10 is connected to the network 50 by wire or wireless, and the ONU 20 is connected to the user terminal 40 by wire or wireless. The OLT 10 indicates an example of a first communication device or a transmission device, and the ONU 20 indicates an example of a second communication device or a reception device. In the following, an example in which data is transmitted from the network 50 to the user terminal 40 will be described. However, data may be transmitted from the user terminal 40 to the network 50.

  The user terminal 40 is, for example, a computer device such as a personal computer, or a mobile terminal device such as a smart phone or a tablet terminal.

  The OLT 10 includes, for example, a control unit 11 such as a processor. For example, the control unit 11 operates as the encryption unit 12 by executing a program.

  For example, the encryption unit 12 encrypts data received from the network 50 based on information indicating encryption settings exchanged with the ONU 20. Information indicating the operation of the encryption unit 12 and the encryption setting will be described with reference to FIGS.

  For example, the control unit 11 executes data such as a program to receive data from the network 50 and generate a frame in which the received data is stored. The control unit 11 transmits the generated frame to the ONU 20 via the transmission path 30. The program executed by the control unit 11 is stored in advance in a storage unit such as an EEPROM (Electrically Erasable Programmable Read-Only Memory) included in the OLT 10, for example.

  The ONU 20 includes, for example, a receiving unit 21 and a control unit 22 such as a processor.

  For example, the reception unit 21 receives a frame transmitted from the OLT 10.

  The control unit 22 operates as the decoding unit 23 by executing a program or the like, for example.

  For example, the decryption unit 23 decrypts data stored in the received frame based on information indicating encryption settings exchanged with the OLT 10. The control unit 22 transmits the decoded data to the user terminal 40. The operation of the decoding unit 23 will be described with reference to FIGS. Note that the program executed by the control unit 22 is stored in advance in a storage unit such as an EEPROM included in the ONU 20, for example.

  Here, a frame in the communication system 100 will be described based on a comparison with a frame in which encrypted data compliant with IEEE802.3ah is stored. IEEE is an abbreviation for The Institute of Electrical and Electronics Engineers, Inc.

  FIG. 2 shows, as a comparative example, a frame 60 in which encrypted data compliant with IEEE 802.3ah is stored. The frame 60 has storage areas for a preamble 61, a DA (Destination Address) 62, an SA (Source Address) 63, a SecTag (Secure Tag) 64, and a DATA 65. Further, the frame 60 has storage areas for an ICV (Integrity Check Value) 66 and an FCS (Frame Check Sequence) 67. In the storage area of the preamble 61, a bit string having a predetermined pattern indicating the start of the frame 60 corresponding to the EPON defined in IEEE 802.3ah is stored. The storage area of the DA 62 stores the MAC (Media Access Control) address of the device that is the data destination, and the storage area of the SA 63 stores the MAC address of the device that is the data transmission source.

  In the storage area of SecTag 64, information indicating settings in the encryption processing of the MACsec (MAC Security) method defined in IEEE 802.3ah is stored. In the storage area of DATA 65, encrypted data is stored. In the storage area of the ICV 66, information indicating the normality of the encryption processing for data is stored. In the storage area of the FCS 67, a code for performing error detection and correction of data generated while a frame is transmitted through the transmission path 30 is stored.

  As shown in FIG. 2, the SecTag 64 has storage areas for a MET (MACsec Ether Type) 70, a TCI (Tag Control Information) 71, and an AN (Association Channel) 72. Further, the SecTag 64 has storage areas for an SL (Short Length) 73, a PN (Packet Number) 74, and an SCI (Secure Channel Identifier) 75. In the storage area of the MET 70, information indicating that MACsec is used as an encryption method is stored. For example, a hexadecimal value “0x88e5” standardized by IEEE802.3AE is stored in the storage area of MET70. In the storage area of the TCI 71, MACsec version, optional SCI 75, the presence / absence of encryption, and the like are stored in advance according to the communication method.

  In the storage area of the AN 72, for example, a number for identifying a Secure Association in the same SC (Secure Channel) having a maximum of four Secure Associations is stored. Here, the Secure Association indicates that a secure communication path is established by exchanging information such as an encryption method and an encryption key before starting communication. For example, the encryption unit 12 receives the OLT 10 from the network 50 using the encryption key exchanged with the ONU 20 via the communication path established by the Secure Association corresponding to the number stored in the storage area of the AN 72. Encrypted data. Further, the decryption unit 23 of the ONU 20 decrypts the encrypted data received from the OLT 10 using the exchanged encryption key.

  Information indicating the length of the encrypted data is stored in the storage area of the SL 73. In the storage area of the PN 74, a number for identifying a frame transmitted through a communication path established by the same Secure Association is stored. The SCI 75 stores information on the channel to which the frame belongs. Note that the SCI 75 may be omitted because it is an option.

  FIG. 3 shows an example of the frame 80 of the communication system 100 shown in FIG. Of the elements of the frame 80, those having the same or similar functions as the elements of the frame 60 shown in FIG.

  The frame 80 has storage areas for the preamble 61, DA62, SA63, DATA65, ICV66, and FCS67. That is, the SecTag 64 storage area is not added to the frame 80 generated by the OLT 10. Information indicating encryption settings of MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 included in SecTag 64 is stored in a storage unit such as an EEPROM included in OLT 10 and ONU 20.

  For example, when the ONU 20 is newly connected to the transmission path 30, the ONU 20 receives a Discovery Gate frame for detecting the newly connected ONU that is periodically output from the OLT 10 to the transmission path 30. The ONU 20 transmits a Register Request frame for requesting connection to the OLT 10 in response to the received Discovery Gate frame. For example, when the OLT 10 receives a Register Request frame from the ONU 20, the OLT 10 sets up a logical link that is a communication path with the ONU 20. The OLT 10 transmits a Register frame storing the set logical link identifier of the ONU 20 to the ONU 20. When the OLT 10 receives a Register ACK (Acknowledgement) frame from the ONU 20, the OLT 10 establishes communication with the ONU 20. Then, the OLT 10 exchanges, for example, encryption keys in each of the four Secure Association communication paths and information on the settings of the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 with the ONU 20. The OLT 10 stores the exchanged four encryption keys and the setting information of the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 in the storage unit in the OLT 10. Further, the ONU 20 stores the exchanged four encryption keys and information on the settings of the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 in the storage unit in the ONU 20.

  FIG. 4 shows an example of transmission processing in the communication system 100 shown in FIG. Steps S10 to S13 are executed when the control unit 11 of the OLT 10 executes a program. Further, step S20 to step S22 are executed when the control unit 22 of the ONU 20 executes a program. That is, FIG. 4 shows an embodiment of a transmission method. Note that the processing shown in FIG. 4 may be executed by hardware mounted on the OLT 10 and the ONU 20. In this case, the control unit 11, the encryption unit 12, the reception unit 21, the control unit 22, and the decryption unit 23 illustrated in FIG. 1 are realized by circuits arranged in the OLT 10 and the ONU 20.

  In step S10, the control unit 11 receives data from the network 50 as described in FIG.

  Next, in step S11, the encryption unit 12 encrypts the received data based on the information indicating the encryption setting exchanged with the ONU 20, as described with reference to FIGS. .

  Next, in step S12, as described in FIG. 3, the control unit 11 generates a frame 80 in which the encrypted data is stored in the storage area of the DATA 65 without adding information indicating the encryption setting. . For example, the encryption unit 12 reads MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 information stored in a storage unit such as an EEPROM, and an encryption key corresponding to the number stored in the AN 72. For example, the encryption unit 12 calculates AAD (Additional Authenticated Data) using information of DA62, SA63, MET70, TCI71, AN72, SL73, PN74, and SCI75 based on the IEEE 802.3ah standard. Also, the encryption unit 12 calculates an IV (Initialization Vector) using the read PN74 and SCI75 information based on, for example, the IEEE 802.3ah standard. The encryption unit 12 performs GCM (Galois Counter Mode) operation using the read encryption key and the calculated AAD and IV, and encrypts the data. The encryption unit 12 calculates a value indicating the integrity of the encryption process.

  Next, in step S <b> 13, the control unit 11 transmits the generated frame 80 to the ONU 20. For example, the control unit 11 generates the frame 80 by storing the encrypted data in the storage area of the DATA 65 and the value indicating the integrity calculated by the encryption unit 12 in the storage area of the ICV 66. The control unit 11 transmits the generated frame 80 to the ONU 20.

  Next, in step S20, the receiving unit 21 of the ONU 20 receives the frame 80 transmitted from the OLT 10 as described in FIG.

  Next, in step S21, as described with reference to FIGS. 1 to 3, the decryption unit 23 determines the DATA 65 of the received frame 80 based on the information indicating the encryption setting exchanged with the OLT 10. Decrypt data stored in the storage area. For example, the decryption unit 23 reads information on the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 stored in a storage unit such as an EEPROM, and an encryption key corresponding to the number stored in the AN 72. The decoding unit 23 calculates AAD from information of the read MET70, TCI71, AN72, SL73, PN74, and SCI75 and the DA62 and SA63 of the received frame 80 based on, for example, the IEEE 802.3ah standard. Also, the decoding unit 23 calculates IV from the read PN74 and SCI75 information based on, for example, the IEEE 802.3ah standard. The decryption unit 23 performs GCM calculation using the AAD and IV calculated together with the read encryption key, and decrypts the data stored in the DATA 65 storage area of the received frame 80.

  Next, in step S <b> 22, the control unit 22 transmits the decoded data to the user terminal 40. For example, the control unit 22 compares the value indicating the integrity in the decoding process calculated by the decoding unit 23 with the value stored in the storage area of the ICV 66 of the received frame 80. When the two values match each other, the control unit 22 determines that the decoding process has been normally performed, and transmits the decoded data to the user terminal 40. On the other hand, for example, the control unit 22 determines that the two values do not match and the decoding process has not been performed normally, and discards the frame 80.

  Then, the transmission process by the communication system 100 ends. Note that the flow shown in FIG. 4 is repeatedly executed every time the OLT 10 receives data from the network 50.

  As described above, in this embodiment, the encryption unit 12 encrypts data received from the network 50 based on the information indicating the encryption setting exchanged with the ONU 20. The control unit 11 generates a frame 80 of encrypted data without adding information indicating the encryption setting, and transmits the generated frame 80 to the ONU 20. The decrypting unit 23 decrypts the data of the received frame 80 based on the information indicating the exchanged encryption setting. As a result, the communication system 100 exchanges information indicating the data encryption setting between the OLT 10 and the ONU 20 in advance without adding the information indicating the data encryption setting to the frame 80, so that the information indicating the encryption is added. The amount of data that can be stored in the frame 80 can be increased. The communication system 100 can improve the throughput of data transmission.

  Note that the information of the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 to be exchanged may be fixed, or may be updated in a predetermined procedure every time the frame 80 is transmitted between the OLT 10 and the ONU 20. Good. For example, the encryption unit 12 may increase or decrease the number of the storage area of the AN 72 in the OLT 10 by one every time data received from the network 50 is encrypted. In order to match the information indicating the encryption setting between the OLT 10 and the ONU 20, for example, the decryption unit 23 sets the storage area number of the AN 72 in the ONU 20 to 1 each time the data of the received frame 80 is decrypted. Increase or decrease. Since there are only four numbers from 0 to 3, the encryption unit 12 and the decryption unit 23 store the number 0 in the storage area of the AN 72 when the number 3 is incremented by 1. , The number of 3 is stored in the storage area of the AN 72. Thereby, every time the frame 80 is transmitted, the encryption key used in the encryption unit 12 and the decryption unit 23 changes, so that the security in the communication system 100 can be improved.

  Further, for example, every time the data received from the network 50 is encrypted, the encryption unit 12 may increase or decrease the value of the storage area of the PN 74 in the OLT 10 by one. In order to match the information indicating the encryption setting between the OLT 10 and the ONU 20, for example, the decryption unit 23 sets the number of the storage area of the PN 74 in the ONU 20 to 1 each time the received data of the frame 80 is decrypted. Increase or decrease. Thereby, every time the frame 80 is transmitted, the frame numbers used in the encryption unit 12 and the decryption unit 23 change, so that the security in the communication system 100 can be improved.

  FIG. 5 shows another embodiment of the communication system, the transmission device, and the reception device. 5 having the same or similar functions as those of the communication system 100 shown in FIG. 1 are denoted by the same reference numerals and detailed description thereof is omitted.

  The communication system 100 includes, for example, an OLT 110, N ONUs 120 (120 (1) -120 (N)), a transmission line 30, and an optical splitter 130 that branches an optical signal into a plurality of parts using passive element splitters (N Is a positive integer). The communication system 100 is connected to the network 50 and N user terminals 140 (140 (1) -140 (N)) in a wired or wireless manner. In the communication system 100, the frame transmitted between the OLT 110 and the ONU 120 is the frame 80 shown in FIG. Note that in the communication system 100, for example, communication in the downstream direction from the OLT 110 to the ONU 120 is performed by a TDM (Time Division Multiplexing) method using an optical signal having a wavelength of 1.5 micrometers. Further, upstream communication from the ONU 120 to the OLT 110 is performed by, for example, a TDMA (Time Division Multiple Access) method using an optical signal having a wavelength of 1.3 micrometers.

  The user terminal 140 is, for example, a computer device such as a personal computer, or a mobile terminal device such as a smart phone or a tablet terminal, similar to the user terminal 40 illustrated in FIG.

  FIG. 6 shows an example of the OLT 110 shown in FIG. The OLT 110 includes a CNI (Core Network Interface) 111, a control unit 112, an EPON side IF (Interface) unit 113, and a storage unit 114.

  The CNI 111 is an interface that performs data transmission between the OLT 110 and the network 50, for example. The CNI 111 is an example of a receiving unit.

  For example, the control unit 112 is a processor or the like that comprehensively controls the operation of each unit of the OLT 1 by executing a program stored in the storage unit 114 such as an EEPROM. For example, the control unit 112 determines whether the data received via the CNI 111 is data addressed to the OLT 110. For example, the control unit 112 determines whether or not the MAC address indicating the destination added to the received data matches the MAC address of the OLT 110, and if it matches, takes in the received data. On the other hand, when the destination MAC address does not match the MAC address of the OLT 110, the control unit 112 discards the received data.

  For example, the control unit 112 operates as the queue unit 115, the encryption unit 116, the decryption unit 117, and the queue unit 118 by executing a program.

  The queue unit 115 acquires, for example, a QoS (Quality of Service) value indicating the priority to be transferred to the ONU 120 added to the data received from the network 50 via the CNI 111. The queue unit 115 stores the received data in a storage area allocated according to the acquired QoS value in a RAM (Random Access Memory) or the like included in the storage unit 114. Further, the queue unit 115 determines the order in which the received data is transferred to the ONU 120 based on the acquired QoS value, for example. Then, the queue unit 115 transfers the data stored in the storage unit 114 to the encryption unit 116 based on the determined order.

  For example, the encryption unit 116 encrypts the data transferred from the queue unit 115 based on the information indicating the encryption setting stored in the EEPROM or the like included in the storage unit 114. Then, the control unit 112 generates a frame 80 in which the encrypted data is stored in the storage area of the DATA 65. The generated frame 80 is broadcast to the ONU 120 via the control unit 112 and the PON side IF unit 113. The operation of the encryption unit 116 will be described with reference to FIG.

  For example, the decryption unit 117 encrypts the data stored in the storage area of the DATA 65 of the frame 80 received from the ONU 120 via the EPON side IF unit 113 based on the information indicating the encryption setting stored in the storage unit 114. Decrypted data. The decryption unit 117 transfers the decrypted data to the queue unit 118. The operation of the decoding unit 117 will be described with reference to FIG.

  The queue unit 118 acquires, for example, a QoS value indicating the priority to be transmitted to the network 50 added to the decoded data. The queue unit 118 stores the received data in a storage area allocated according to the acquired QoS value in the RAM or the like included in the storage unit 114. The queue unit 118 then determines the order in which the received data is transmitted to the network 50 based on the acquired QoS value, and the network stores the data stored in the storage unit 114 via the CNI 111 based on the determined order. 50.

  The EPON side IF unit 113 is an interface that transmits an optical signal to the ONU 120 (1) -ONU 120 (N) by the TDM system and receives an optical signal of the TDMA system from the ONU 120 (1) -ONU 120 (N). The EPON side IF unit 113 includes a conversion unit that converts the optical signal of the frame 80 from each ONU 120 into an electrical signal, and converts the electrical signal of the frame 80 transmitted by the OLT 110 into an optical signal.

  The storage unit 114 includes, for example, a RAM together with an EEPROM and the like, and stores a program executed by the control unit 112. In addition, the storage unit 114 stores setting tables 200 and 210 indicating information on encryption settings exchanged with each ONU 120 in a storage area allocated in advance. The setting tables 200 and 210 will be described with reference to FIG.

  FIG. 7 shows an example of the ONU 120 (1) shown in FIG. The ONU 120 (1) includes an EPON-side IF 121, a control unit 122, a UNI (User Network Interface) 123, and a storage unit 124 including an EEPROM, a RAM, and the like. The ONU 120 (2) -120 (N) includes an element having the same function as the ONU 120 (1) shown in FIG.

  The EPON side IF unit 121 receives the optical signal of the frame 80 transmitted from the OLT 110 by the TDM method, converts the frame 80 storing the data from the accommodated user terminal 140 (1) into an optical signal, and transmits it to the OLT 110 by the TDMA method. The interface to send. The EPON side IF unit 121 includes a conversion unit that converts the electrical signal of the frame 80 transmitted to the OLT 110 into an optical signal and converts the optical signal of the frame 80 received from the OLT 110 into an electrical signal.

  For example, the control unit 122 is a processor or the like that comprehensively controls the operation of each unit of the ONU 120 (1) by executing a program stored in the storage unit 124 such as an EEPROM. For example, the control unit 122 determines whether or not the frame 80 received from the OLT 110 via the EPON-side IF unit 121 is addressed to the ONU 120 (1). That is, for example, the control unit 122 determines whether or not the MAC address of the DA 62 added to the received frame 80 matches the MAC address of the ONU 120 (1), and takes in the received frame 80 when they match. On the other hand, when the MAC address of the DA 62 does not match the MAC address of the ONU 120 (1), the control unit 122 discards the received frame 80. The control unit 122 operates as a decryption unit 125, a queue unit 126, a queue unit 127, and an encryption unit 128, for example, by executing a program.

  The decryption unit 125 decrypts the data stored in the storage area of the DATA 65 of the received frame 80 based on the information indicating the encryption setting stored in the storage unit 124. The decryption unit 125 transfers the decrypted data to the queue unit 126. The operation of the decryption unit 125 will be described with reference to FIG.

  For example, the queue unit 126 stores the decoded data in a storage area allocated in accordance with the QoS value added to the received frame 80 in the storage unit 124. Further, the queue unit 126 determines the order in which the decrypted data is transferred to the user terminal 140 (1) based on the acquired QoS value. And the control part 122 transmits the decoded data to the user terminal 140 (1) via UNI123 based on the determined order.

  For example, the queue unit 127 stores the received data in the storage area allocated to the storage unit 124 based on the QoS value added to the data received from the user terminal 140 (1) via the UNI 123. The order of transfer to the encryption unit 128 is determined. The queue unit 127 transfers the data stored in the storage unit 124 to the encryption unit 128 based on the determined order.

  The encryption unit 128 encrypts the data transferred from the queue unit 127 based on the information indicating the encryption setting stored in the storage unit 124. Then, the control unit 122 generates a frame 80 in which the encrypted data is stored in the storage area of the DATA 65, and transmits the generated frame 80 to the OLT 110 via the EPON side IF unit 121. The operation of the encryption unit 128 will be described with reference to FIG.

  The UNI 123 is an interface that is connected to the user terminal 140 (1) and transmits data to and from the user terminal 140 (1). Transmission of data between the UNI 123 and the user terminal 140 (1) is based on communication between the user terminal 140 (1) and the control unit 122 when the user terminal 140 (1) is first connected to the UNI 123. This is done at the set link speed. The UNI 23 is connected to one user terminal 140 (1), but a plurality of user terminals 140 may be connected.

  The storage unit 124 includes, for example, a RAM as well as an EEPROM and the like, and stores a program executed by the control unit 122. In addition, the storage unit 124 stores the encryption setting information exchanged with the OLT 110 in a storage area allocated in advance.

  FIG. 8 shows an example of the setting tables 200 and 210 shown in FIG. The setting tables 200 and 210 store information indicating encryption settings exchanged between the OLT 110 and each ONU 120. The setting table 200 shown in FIG. 8A is used when the frame 80 is transmitted from the OLT 110 to the ONU 120, and the setting table 210 shown in FIG. 8B is used when the frame 80 is transmitted from the ONU 120 to the OLT 110. It is done.

  The setting table 200 has a storage area for each ONU 120 that is a transmission destination of data received from the network 50, and the encryption key and the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 included in the SecTag 64 shown in FIG.

  In the encryption key storage area, for example, data of four encryption keys K1j (0) -K1j (3) exchanged between the OLT 110 and each ONU 120 and used by the encryption unit 116 and the decryption unit 125 are stored. Stored (j is an integer from 1 to N).

  In the storage area of the MET 70, a hexadecimal value “0x88e5” standardized by IEEE802.3AE is stored.

  The storage area of the TCI 71 stores predetermined information α1j determined in advance according to the EPON communication method, which indicates the MACsec version, the optional SCI 75, the presence / absence of encryption, and the like.

  In the storage area of the AN 72, any number from 0 to 3 for identifying the Secure Association in the same SC having four Secure Associations is stored.

  In the storage area of SL73, information β1j indicating the length of the encrypted data is stored.

  In the storage area of the PN 74, a number for identifying the frame 80 transmitted through the communication path established by the same Secure Association is stored.

  In the storage area of the SCI 75, channel information γ1j to which the frame 80 including encrypted data belongs is stored. Note that the SCI 75 may be omitted because it is an option.

  The setting table 210 has a storage area for the encryption key, MET70, TCI71, AN72, SL73, PN74, and SCI75 for each ONU 120 that is the transmission source of the frame 80 received via the EPON side IF unit 113.

  In the encryption key storage area, for example, data of four encryption keys K2j (0) -K2j (3) exchanged between the OLT 110 and each ONU 120 and used by the decryption unit 117 and the decryption unit 128 are stored. Stored. The encryption key K2j (0) -K2j (3) stored in the setting table 210 may be the same as or different from the encryption key K1j (0) -K1j (3) stored in the setting table 200.

  In the storage area of the MET 70, a hexadecimal value “0x88e5” standardized by IEEE802.3AE is stored.

  The storage area of the TCI 71 stores predetermined information α2j determined in advance according to the EPON communication method, which indicates the MACsec version, the optional SCI 75, the presence / absence of encryption, and the like. The information α2j stored in the setting table 210 may be the same as or different from the information α1j stored in the setting table 200.

  In the storage area of the AN 72, any number from 0 to 3 for identifying the Secure Association in the same SC having four Secure Associations is stored. Note that the number stored in the setting table 210 may be the same as or different from the number stored in the setting table 200.

  Information β2j indicating the length of the encrypted data is stored in the storage area of SL73.

  In the storage area of the PN 74, a number for identifying the frame 80 transmitted through the communication path established by the same Secure Association is stored.

  In the storage area of the SCI 75, channel information γ2j to which a frame including encrypted data belongs is stored. Note that the information γ2j stored in the setting table 210 may be the same as or different from the information γ1j stored in the setting table 200. Further, the SCI 75 may be omitted because it is an option.

  On the other hand, each ONU 120 stores, for example, the encryption key and information such as MET 70 stored in the row of each ONU 120 in the setting tables 200 and 210 in the storage area allocated to the storage unit 124.

  9 and 10 show examples of transmission processing in the communication system 100 shown in FIG. 9 shows processing when data is transmitted from the OLT 110 shown in FIG. 5 to the ONU 120 (1), and FIG. 10 shows processing when data is transmitted from the ONU 120 (1) to the OLT 110. Steps S100 to S140 shown in FIG. 9 and steps S400 to S440 shown in FIG. 10 are executed when the control unit 112 of the OLT 110 executes a program. Further, steps S200 to S250 shown in FIG. 9 and steps S300 to S340 shown in FIG. 10 are executed by the control unit 122 of the ONU 120 executing a program. That is, FIG. 9 and FIG. 10 show another embodiment of the transmission method. 9 and 10 may be executed by hardware mounted on the OLT 110 and the ONU 120 (1). In this case, the queue units 115 and 118, the encryption unit 116 and the decryption unit 117 shown in FIG. 6, or the decryption unit 125, the queue units 126 and 127, and the encryption unit 128 shown in FIG. This is realized by a circuit arranged in the ONU 120 (1).

  The data transmission process between the OLT 110 and the ONU 120 (2) -120 (N) is the same as the data transmission process between the OLT 110 and the ONU 120 (1) shown in FIGS.

  In step S100 of FIG. 9, the control unit 112 of the OLT 110 receives data addressed to the OLT 110 from the network 50 via the CNI 111 as described with reference to FIGS.

  Next, in step S110, the queue unit 115 encrypts the received data in the order determined according to the QoS value added to the data received from the network 50, as described in FIG. 6 and FIG. Forward to the unit 116.

  Next, in step S120, the encryption unit 116 reads information indicating the encryption setting of the destination ONU 120 (1) from the setting table 200 as described with reference to FIGS. Based on the received data is encrypted. For example, the encryption unit 116 specifies the destination ONU 120 based on the MAC address indicating the destination added to the data received from the network 50. The encryption unit 116 reads the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 information of the identified ONU 120 and the encryption key corresponding to the number stored in the AN 72 from the setting table 200. For example, the encryption unit 116 calculates AAD from the read DA62, SA62, MET70, TCI71, AN72, SL73, PN74, and SCI75 information based on the IEEE 802.3ah standard. Also, the encryption unit 116 calculates IV from the read PN74 and SCI75 information, for example. The encryption unit 116 performs GCM calculation using the read encryption key and the calculated AAD and IV, encrypts data received from the network 50, and calculates a value indicating the integrity of the encryption process.

  Next, in step S130, as described with reference to FIGS. 5 and 6, the control unit 112 transmits the frame in which the encrypted data without adding the information indicating the encryption setting is stored in the storage area of the DATA 65. 80 is generated. Note that the control unit 112 stores a value indicating the integrity calculated by the encryption unit 116 in the storage area of the ICV 66 when the frame 80 is generated.

  Next, in step S140, the control unit 112 transmits the generated frame 80 to the ONU 120 via the EPON-side IF unit 113 as described with reference to FIGS.

  Next, in step S200, the control unit 122 of the ONU 120 (1) receives the frame 80 transmitted by the OLT 110 via the EPON-side IF unit 121 as described with reference to FIGS.

  Next, in step S210, the control unit 122 determines whether the ONU 120 (1) is the destination of the received frame 80, as described with reference to FIGS. For example, the control unit 122 compares the MAC address stored in the storage area of the DA 62 of the received frame 80 with the MAC address of the ONU 120 (1). When the two MAC addresses match (YES), the control unit 122 determines that the received frame 80 is addressed to the ONU 120 (1). And the control part 122 takes in the received flame | frame 80, and transfers a process to step S220. On the other hand, when the two MAC addresses do not match (NO), the control unit 122 discards the received frame 80, and the process proceeds to step S200.

  In step S220, the decryption unit 125 reads the information indicating the encryption setting exchanged with the setting table 200 of the OLT 110 as described in FIGS. 5, 7, and 8, and based on the read information. The data stored in the received frame 80 is decoded. For example, the decryption unit 125 stores information on the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 exchanged with the setting table 200 of the OLT 110, and an encryption key corresponding to the number stored in the AN 72. 124 is read in advance. For example, when the decoding unit 125 receives the frame 80 from the OLT 110, the decoding unit 125 calculates AAD from the information of the read MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 and the DA 62 and SA 63 of the received frame 80. Also, the decryption unit 125 calculates IV from the read PN74 and SCI75 information, for example. The decryption unit 125 performs a GCM operation using the AAD and IV calculated together with the encryption key, decrypts the data stored in the DATA65 storage area of the frame 80, and obtains a value indicating the integrity in the decryption process. calculate.

  In step S230, the decoding unit 125 compares the calculated completeness value with a value stored in the storage area of the ICV 66 of the received frame 80, and determines whether or not the decoding process has been performed normally. To do. For example, the decryption unit 125 determines that the decryption process has been performed normally when the value indicating the calculated integrity matches the value stored in the storage area of the ICV 66 (YES). The decryption unit 125 transfers the decrypted data to the queue unit 126, and the process proceeds to step S240. On the other hand, for example, when the decryption unit 125 determines that the calculated integrity value does not match the value stored in the storage area of the ICV 66 and the decryption process has not been performed normally (NO), The frame 80 is discarded and the process proceeds to step S200.

  In step S240, the queue unit 126 determines the order in which the decoded data is transmitted to the user terminal 140 (1) according to the QoS value added to the received frame 80, as described with reference to FIGS. decide.

  Next, in step S250, the control unit 122 transmits the decoded data to the user terminal 140 (1) in the determined order as described in FIG.

  Then, the transmission process from the OLT 110 to the ONU 120 of the communication system 100 ends. The flow shown in FIG. 9 is repeatedly executed every time the OLT 110 receives data from the network 50.

  On the other hand, in step S300 of FIG. 10, the control unit 122 of the ONU 120 (1) receives data from the user terminal 140 (1) via the UNI 123, as described with reference to FIGS.

  Next, in step S310, as described with reference to FIGS. 5 and 7, the queue unit 127 receives the packets in the order determined according to the QoS value added to the data received from the user terminal 140 (1). Data is transferred to the encryption unit 128.

  Next, in step S320, the encryption unit 128 reads and reads the information indicating the encryption setting exchanged with the setting table 210 of the OLT 110, as described with reference to FIGS. Encrypt the received data based on the information. For example, the encryption unit 128 stores information on the MET 70, TCI 71, AN72, SL73, PN74, and SCI75 exchanged with the setting table 210 of the OLT 110, and an encryption key corresponding to the number stored in the AN72. 124 is read in advance. For example, when the encryption unit 128 receives data from the queue unit 127, the encryption unit 128 calculates AAD from information of the read MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 and the DA 62 and SA 63 of the received frame 80. For example, the encryption unit 128 calculates IV from the information stored in the read PN 74 and SCI 75. The encryption unit 128 performs GCM calculation using the read encryption key and the calculated AAD and IV, encrypts the data received from the queue unit 127, and calculates a value indicating the integrity of the encryption process. .

  Next, in step S330, as described with reference to FIGS. 5 and 7, the control unit 122 transmits the frame in which the encrypted data without adding the information indicating the encryption setting is stored in the storage area of the DATA 65. 80 is generated. Note that the control unit 122 stores the value indicating the integrity calculated by the encryption unit 128 in the storage area of the ICV 66 when the frame 80 is generated.

  Next, in step S340, the control unit 122 transmits the generated frame 80 to the OLT 110 via the EPON-side IF unit 121 as described with reference to FIGS.

  Next, in step S400, the control unit 112 of the OLT 110 receives the frame 80 transmitted by the ONU 120 (1) via the EPON side IF unit 113 as described with reference to FIGS.

  Next, in step S410, the decryption unit 117 reads the information indicating the encryption setting of the ONU 120 (1), which is the transmission source, from the setting table 210, as described in FIG. 5, FIG. 6, and FIG. The received frame 80 data is decoded based on the read information. For example, when receiving the frame 80 from the ONU 120 via the EPON side IF unit 113, the decoding unit 117 identifies the transmission source ONU 120 from the MAC address stored in the storage area of the SA 63 of the received frame 80. The decryption unit 117 reads from the setting table 210 information on the MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 of the identified ONU 120 and the encryption key corresponding to the number stored in the AN 72. The decoding unit 117 calculates AAD from information of the read MET70, TCI71, AN72, SL73, PN74, and SCI75, and DA62 and SA63 of the received frame 80 based on, for example, the IEEE 802.3ah standard. Also, the decryption unit 117 calculates IV from, for example, the read PN74 and SCI75 information. The decryption unit 117 performs GCM calculation using the AAD and IV calculated together with the read encryption key, decrypts the data stored in the storage area of the DATA 65 of the frame 80, and indicates the completeness in the decryption process Calculate the value.

  In step S420, the decoding unit 117 compares the calculated completeness value with the value stored in the storage area of the ICV 66 of the received frame 80, and determines whether the decoding process has been performed normally. To do. For example, when the value indicating the calculated integrity matches the value stored in the storage area of the ICV 66 (YES), the decoding unit 117 determines that the decoding process has been performed normally. The decryption unit 117 transfers the decrypted data to the queue unit 118, and the process proceeds to step S430. On the other hand, for example, when the decoding unit 117 determines that the calculated integrity value does not match the value stored in the storage area of the ICV 66 and the decoding process has not been performed normally (NO), The frame 80 is discarded and the process proceeds to step S400.

  Next, in step S430, the queue unit 118 determines the order in which the decoded data is transmitted to the network 50 according to the QoS value added to the received frame 80, as described with reference to FIGS. To do.

  Next, in step S440, the control unit 112 transmits the decoded data to the network 50 based on the determined order as described in FIG.

  Then, the transmission process from the ONU 120 to the OLT 110 of the communication system 100 ends. Note that the flow shown in FIG. 10 is repeatedly executed every time the ONU 120 receives data from the user terminal 140. Further, the processes shown in FIGS. 9 and 10 may be executed in parallel.

  As described above, in this embodiment, the encryption unit 116 of the OLT 110 encrypts data received from the network 50 based on the setting table 200. The control unit 112 generates a frame 80 of encrypted data without adding information indicating the encryption setting, and transmits the generated frame 80 to the ONU 120. The decryption unit 125 of the ONU 120 decrypts the received data of the frame 80 based on the information indicating the exchanged encryption setting. On the other hand, the encryption unit 128 of the ONU 120 encrypts the data received from the user terminal 140 based on the information indicating the exchanged encryption setting. The control unit 122 generates the encrypted data frame 80 without adding information indicating the encryption setting, and transmits the generated frame 80 to the OLT 110. The decoding unit 117 of the OLT 110 decodes the received data of the frame 80 based on the setting table 210. As a result, the communication system 100 compares the information indicating the data encryption setting with the OLT 110 and each ONU 120 in advance without adding the information indicating the data encryption setting to the frame 80, so that the information indicating the encryption is added. Thus, the amount of data that can be stored in the frame 80 can be increased. The communication system 100 can improve the throughput of data transmission.

  In addition, the queue unit 115 and the queue unit 127 determine the order of data before encrypting the received data, so that the communication system 100 can transmit data between the OLT 110 and each ONU 120 with high accuracy. it can.

  The OLT 110 and the ONU 120 have the storage unit 114 and the storage unit 124, but may be connected to a storage device that is arranged outside and has the setting tables 200 and 210.

  The information of MET 70, TCI 71, AN 72, SL 73, PN 74, and SCI 75 stored in tables 200 and 210 and storage unit 124 may be fixed, or frame 80 is transmitted between OLT 110 and each ONU 120. It may be updated every time.

  For example, every time the encryption unit 116 of the OLT 110 encrypts data received from the network 50, the number of the AN 72 of the ONU 120 (1) indicated by the destination MAC address added to the received data in the setting table 200 is displayed. It may be increased or decreased by one. In order to match with the setting table 200, the decoding unit 125 of the ONU 120 (1) stores the AN 72 of the storage unit 124 exchanged with the setting table 200 every time the received frame 80 data is decoded, for example. The region number may be increased or decreased by one.

  For example, the encryption unit 128 of the ONU 120 (1) sets the storage area number of the AN 72 of the storage unit 124 exchanged with the setting table 210 to 1 each time data received from the user terminal 140 is encrypted. It may be increased or decreased. Then, for example, each time the decoding unit 117 of the OLT 110 decodes the data of the received frame 80, the number of the AN 72 of the ONU 120 (1) of the MAC address indicated by the SA 63 of the received frame 80 in the setting table 210 is set to 1. It may be increased or decreased. As a result, the encryption key used between the encryption unit 116 and the decryption unit 125 and between the encryption unit 128 and the decryption unit 117 changes every time the frame 80 is transmitted. Can be improved.

  Alternatively, for example, each time the encryption unit 116 encrypts data received from the network 50, the value of the PN 74 of the ONU 120 (1) indicated by the destination MAC address added to the received data in the setting table 200 is displayed. It may be increased or decreased by one. In order to match the setting table 200, the decoding unit 125 of the ONU 120 (1) stores the PN 74 of the storage unit 124 exchanged with the setting table 200 every time the received frame 80 data is decoded, for example. The region number may be increased or decreased by one.

  Further, for example, the encryption unit 128 of the ONU 120 (1) sets the storage area number of the PN 74 of the storage unit 124 exchanged with the setting table 210 to 1 each time data received from the user terminal 140 is encrypted. It may be increased or decreased. For example, each time the decoding unit 117 of the OLT 110 decodes the data of the received frame 80, the PN 74 number of the ONU 120 (1) of the MAC address indicated by the SA 63 of the received frame 80 in the setting table 210 is incremented by one. Or it may be decreased. Accordingly, every time the frame 80 is transmitted, the frame numbers used between the encryption unit 116 and the decryption unit 125, and between the encryption unit 128 and the decryption unit 117 change. Can be improved.

  From the above detailed description, features and advantages of the embodiments will become apparent. This is intended to cover the features and advantages of the embodiments described above without departing from the spirit and scope of the claims. Also, any improvement and modification should be readily conceivable by those having ordinary knowledge in the art. Therefore, there is no intention to limit the scope of the inventive embodiments to those described above, and appropriate modifications and equivalents included in the scope disclosed in the embodiments can be used.

10, 110 ... OLT; 11, 112, 22, 122 ... control unit; 12, 116, 128 ... encryption unit; 20, 120 (1) -120 (N) ... ONU; 21 ... reception unit; 23, 117, 125 ... Decoding unit; 30 ... Transmission path; 40, 140 (1) -140 (N) ... User terminal; 50 ... Network; 60, 80 ... Frame; 61 ... Preamble; 62 ... DA; SecTag; 65 ... DATA; 66 ... ICV; 67 ... FCS; 70 ... MET; 71 ... TCI; 72 ... AN; 73 ... SL; 74 ... PN; 75 ... SCI; 100 ... communication system; 111 ... CNI; 113,121 ... EPON side IF unit; 114, 124 ... storage unit; 115, 118, 126, 127 ... queue unit; 130 ... optical coupler

Claims (7)

A first communication device;
A second communication device for transmitting data to and from the first communication device,
The first communication device is
An encryption unit that encrypts data to be transmitted to the second communication device based on first information indicating encryption settings exchanged with the second communication device;
A control unit for transmitting the encrypted data without adding the first information to the second communication device,
The second communication device is
A receiving unit for receiving the data from the first communication device;
And a decoding unit that decodes the data received from the first communication device based on the first information. The communication system according to claim 1.
The encryption unit updates the first information of the first communication device by a predetermined procedure every time the data to be transmitted is encrypted,
The decoding unit updates the first information of the second communication device according to the predetermined procedure every time the data is decoded from the first communication device. The communication system according to claim 1 or 2,
The second communication device is
An encryption unit that encrypts data to be transmitted to the first communication device based on second information indicating encryption settings exchanged with the first communication device;
A controller that transmits the encrypted data without adding the second information to the first communication device,
The first communication device is
A communication system comprising: a decoding unit that decodes the data received from the second communication device based on the second information. The communication system according to claim 3,
The encryption unit of the second communication device updates the second information of the second communication device in a predetermined procedure every time the data to be transmitted is encrypted,
The decoding unit of the first communication device updates the second information of the first communication device according to the predetermined procedure every time the data is decoded from the second communication device. . An encryption unit that encrypts data to be transmitted to the receiving device based on first information indicating encryption settings exchanged with the receiving device that receives data;
And a control unit that transmits the encrypted data without adding the first information to the receiving device. A receiving unit for receiving data from a transmitting device for transmitting data;
A decryption unit configured to decrypt encrypted data received by the reception unit and not including the first information, based on first information indicating encryption settings exchanged with the transmission device; ,
A receiving apparatus comprising: A data transmission method for a communication system comprising a first communication device and a second communication device for transmitting data between the first communication device,
The first communication device encrypts data to be transmitted to the second communication device based on the first information indicating the encryption setting exchanged with the second communication device,
Transmitting the encrypted data without adding the first information to the second communication device by the first communication device;
A data transmission method for a communication system, wherein the data received from the first communication device is decoded by the second communication device based on the first information.

Images