WO2007066951A1 - Procede et dispositif destines a controler un canal de securite dans un epon - Google Patents

Procede et dispositif destines a controler un canal de securite dans un epon Download PDF

Info

Publication number
WO2007066951A1
WO2007066951A1 PCT/KR2006/005199 KR2006005199W WO2007066951A1 WO 2007066951 A1 WO2007066951 A1 WO 2007066951A1 KR 2006005199 W KR2006005199 W KR 2006005199W WO 2007066951 A1 WO2007066951 A1 WO 2007066951A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
transmitting
encryption module
receiving side
olt
Prior art date
Application number
PCT/KR2006/005199
Other languages
English (en)
Inventor
Jee-Sook Eun
Kyeong-Soo Han
Yool Kwon
Original Assignee
Electronics And Telecommunications Research Institute
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from KR1020060051129A external-priority patent/KR100737527B1/ko
Application filed by Electronics And Telecommunications Research Institute filed Critical Electronics And Telecommunications Research Institute
Priority to US12/083,178 priority Critical patent/US20090232313A1/en
Priority to JP2008533262A priority patent/JP4739419B2/ja
Priority to CN2006800461196A priority patent/CN101326756B/zh
Publication of WO2007066951A1 publication Critical patent/WO2007066951A1/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0841Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/14Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
    • H04L63/1441Countermeasures against malicious traffic
    • H04L63/1458Denial of Service

Definitions

  • the present invention relates to a method and device for controlling a security
  • a wireless LAN technology is one of representative technologies for the high-speed Internet service.
  • the wireless LAN has shortcomings such as a large gab between a wide-area network and an end- user, and a bottleneck problem at an end-user.
  • a passive optical network was introduced.
  • the PON is a system that transfers a signal to an end-user through an optical cable network.
  • the PON is classified into FTTC, FTTB or FTTH by a location of an end-processing.
  • the PON is formed of an optical line terminal (OLT) that is installed at a communication company and a plurality of optical network units (ONU) that are installed around the OLT.
  • OLT optical line terminal
  • ONU optical network units
  • Such a PON technology may be classified into ATM PON (APON) and Ethernet PON (EPON).
  • the EPON technology is a network access control technology that can provide various communication services such as Internet, Internet TV, digital TV and telephone through one optical fiber line to home.
  • the service provider which is a transmitting side, authenticates, distributes a key, and manages the key in order to activate the security function.
  • a case of beginning changing a key at an access point is suitable to a case of using a same key in transmitting/receiving channels. Therefore, it is difficult to find an exact point of changing a key in a receiving channel when two keys are used in the transmitting/receiving channels.
  • a security function is deactivated only by the request of a terminal, and a function for defending a denial of service (DoS) attack is not provided.
  • DoS denial of service
  • One object of the present invention is to provide a method and device for
  • Another object of the present invention is to provide a method and device for
  • a further object of the present invention is to provide a device and method for controlling a security channel for changing a type of encoded frame which is an object of a denial of service (DoS).
  • DoS denial of service
  • the present invention provides a method of controlling security of a communication channel between an optical line terminal (OLT) and an optical network unit (ONU) in a secure channel control system of an Ethernet passive optical network formed of an optical line terminal and an optical network unit having a cryptographic module, a key management module and a transmitter/receiver for transmitting/receiving frames, the method including the steps of: a) distributing a key between the OLT and the ONU; b) transferring the distributed key to the encryption modules of the OLT and ONU; c) activating a corresponding encryption module using the distributed key at one of the OLT and the ONU which starts a security function activation; d) transmitting an encryption module information message including activation state information of the corresponding encryption module from the side (transmitting side) having the activated encryption module to an opponent side (receiving side); and e) activating an encryption module by checking activation state information of the encryption module at the receiving side.
  • OLT optical line terminal
  • ONU optical network unit
  • the method including the steps of: a) distributing a key between the OLT and the ONU; b) transmitting the distributed key to an encryption module of the OLT and the ONU; c) activating a corresponding encryption module at one between the OLT and the ONU which starts activating a security function using the distributed key; d) transmitting an encryption module information message including activation state information of the corresponding encryption module from the side having the activated encryption module (transmitting side) to an opponent side (receiving side); e) activating an encryption module by checking activation state information of the encryption module at the receiving side that receives the encryption module information message; and f) activating a function of sensing denial of service
  • a method of controlling security of a communication channel between an optical line terminal (OLT) and an optical network unit (ONU) in a security channel control system in an Ethernet passive optical network having an encryption module, a key management module and a transmitter/receiver for transmitting and receiving a frame including the steps of: deactivating a function of sensing denial of service in a side (receiving side) receiving the frame among the OLT and the ONU when one of the OLT and the ONU requests encryption data information to change; transmitting an encryption module information message from the receiving side to an opponent side(transmitting side); comparing the encryption module information message with encryption data information and pre-stored data information to determine whether they are matched or not at the transmitting side; transmitting encryption module information message for changing encryption data information to the receiving side when the encryption data information is not matched; comparing encryption data information including an encryption module information message received from the transmitting side to own encryption data information at the receiving side to determine whether they are matched
  • an apparatus for controlling security of channel between an optical line terminal (OLT) and an optical network unit (ONU) in an Ethernet passive optical network having the OLT and the ONU as a transmitter and a receiver for transmitting or receiving a frame including: an encryption module for activating and deactivating according to a request from one starting activating and deactivating a security function between the OLT and the ONU, and activating an encryption module of the opponent side by transmitting an encryption module information message including information noticing that the encryption module is activated or deactivated to the opponent side; and a key management module for distributing a key between the optical line terminal (OLT) and the optical network unit (ONU) before activating the encryption module, and transmitting the distributed key to the encryption module of the OLT and the ONU.
  • the present invention can maintain a transmission/reception securing channel, which is independent to each other, by activating and deactivating the securing function in the cryptographic module of the transmitting unit (Tx). Since the securing function is activated in connected with the key allocation of the transmitting unit (TX) capable of acquiring an exact key changing time, the present invention can exactly acquire the securing function activating time of the transmitting unit (TX) by transmitting one message.
  • the present invention can prevent that the frame transmitted in a state change of the securing function is considered as the DoS attack and lost, and the organization information of the data encoding information can be changed without disconnecting the securing channel.
  • FlG. 1 is a flowchart illustrating a security access in a wireless LAN according to the related art
  • FlG. 2 is a schematic structural diagram illustrating the structure of EPON
  • FlG. 3 is a structural diagram illustrating the structure of an apparatus for
  • FlGs. 4 and 5 are flow diagram illustrating the process for distributing a key
  • FlG. 6 is a flow diagram illustrating the operation of activating a cryptographic module in EPON
  • FIG. 7 and FlG. 8 are flow diagrams illustrating the operation of inactivating an encryption function in EPON according to an embodiment of the present invention.
  • FIG. 9 is a flowchart describing an operation for activating a cryptographic module including a DoS attack sensing function in the EPON according to a second embodiment of the present invention.
  • FIGs. 10 and 11 are flowcharts describing an operation for deactivating an
  • encryption module including a function of sensing DoS in EPON according to an embodiment of the present invention
  • FIGs. 12 and 13 are flowcharts describing an operation for changing encoding data according to the second embodiment of the present invention.
  • FIG. 14 shows a structure of an information key managing frame according to an embodiment of the present invention.
  • FIG. 2 is a schematic structural diagram illustrating the structure of EPON
  • FIG. 3 is a structural diagram illustrating the structure of an apparatus for controlling a security channel in
  • the EPON system includes an optical line terminal (hereinafter, referred to as "OLT") 11 for connecting with another systems such as IP network, broadcasting network, and TDM network, and optical network units (hereinafter, referred to as "ONUs") 12 that are located at the subscriber-side end of the EPON and connected to subscriber terminals 13 such as STB, PC, and the like.
  • the OLT 11 and the ONUs 12 each have a key that is distributed for the security of communication channels.
  • the OLT 11 and the ONUs 12 can be both transmitting side and receiving side. Note that as a side that encrypts frames begins the activation and inactivation of a security function, the side that encrypts frames becomes a transmitting side TX, and the other side that receives the encrypted frames becomes a receiving side RX.
  • the apparatus for controlling the security channel in the EPON may be divided into a transmitting side TX and a receiving side RX.
  • the transmitting side TX and the receiving side RX include key management modules HOT and 11OR for distributing and verifying keys therebetween, cryptographic modules 120T and 120R for encrypting and decrypting frames after the key distribution, and transmitters/ receivers 130T and 130R for transmitting and receiving the frames and cryptographic module information messages including the status information of the cryptographic modules, respectively.
  • the key management modules HOT and 11OR transfer the distributed keys to the cryptographic modules 120T and 120R to encrypt and decrypt frames to be transmitted and received after completing a key distribution process.
  • FIGs. 4 and 5 are flow diagram illustrating the process for distributing a key.
  • the key distribution between the OLT 11 and ONU 12 in the EPON may begin by the OLT 11 as shown in HG. 4, or by the ONU 12 as shown in HG. 5.
  • the OLT 11 starts the operation for distributing a key and waits to receive a key generation request message from the ONU 12.
  • the OLT 11 transmits a key generation response message to the ONU 12 to respond that it is possible to generate a key at step S202.
  • the OLT 11 performs key verification and transmits a key verification response message at step S204. Then, the OLT 11 receives a key verification acknowledgement message and terminates the key distribution process at step S205.
  • ONU 12 operates the same as the OLT 11 shown in FIG. 4 in response to the reception of a key generation request message.
  • the OLT 11 and the ONU 12 When receiving the key verification acknowledgement message that means the termination of the key distribution process after performing the key distribution process, the OLT 11 and the ONU 12 have the key that has completed to verify and can decrypt the received encrypted frames.
  • a transmitting side and a receiving side perform encryption and decryption.
  • the operation of activating a cryptographic module will now be described in detail with reference to the attached drawings.
  • the OLT 11 and the ONU 12 can be both a transmitting side and receiving side. Note that a side that transmits a key verification acknowledgement message becomes a transmitting side TX, and that a side that receives the message becomes a receiving side.
  • the OLT 11 and the ONU 12 will be considered a transmitting side and a receiving side, respectively.
  • FlG. 6 is a flow diagram illustrating the operation of activating a cryptographic module in EPON.
  • the transmitting side TX transmits a key verification acknowledgement message through a key distribution process
  • the receiving side RX activates the cryptographic module 120 at step S401 and transmits a cryptographic module information message to the transmitting side TX at step S402.
  • the transmitting side TX then checks a possible time to encrypt frames, ascertains that the cryptographic module 120R in the receiving side RX is activated ("ON"), and activates the cryptographic module 120T at step S403. Then, the transmitting side TX encrypts frames and transmits the encrypted frames to the receiving module RX. This method can prevent security frames to being lost while the receiving side RX is not activated ("OFF") since it checks the state of the security function of the receiving side RX to activate the transmitting side TX.
  • the cryptographic module should be changed from an activate state to an inactivate state.
  • the receiving side RX should perceive the deassertion of the cryptographic module that the transmitting side TX has performed at discretion, and should deassert the cryptographic module.
  • FlG. 7 and FlG. 8 are flow diagrams illustrating the operation of inactivating an encryption function in EPON according to an embodiment of the present invention.
  • the receiving side RX transmits a cryptographic module information message that causes the transmitting side TX to inactivate the cryptographic module 120T to the transmitting side at step S511. Then, the transmitting side TX inactivates the cryptographic module 120T at step S512, and transmits a cryptographic module information message including information that indicates the current state of the cryptographic module 120T to the receiving side RX at step S513. According to this operation, the receiving side RX ascertains the received cryptographic module information message and inactivates the cryptographic module 120R at step S514.
  • a transmitting side TX is a side that encrypts frames and a receiving side RX is a side that decrypts frames.
  • the receiving side RX receives a key verification acknowledgement message and becomes a state of having the key that has been completed to verify so that it can activate the cryptographic module 120T.
  • This method can reduce decision time to determine the state of the security function by abbreviating one of control frames for the procedure of the decision.
  • Encryption Standard that is an encryption algorithm of a data link layer defined by 8O2.alAE at a cryptographic module
  • the stability of the encryption algorithm relates to the number of frames that are encrypted with the same key. In other words, if frames having the same packet number are encrypted with the same key, the stability of the algorithm cannot be guaranteed.
  • encryption channels exist as a transmitting channel and a receiving
  • the cryptographic module of the receiving side RX decides a time for updating a cryptographic key
  • the number of frames received by the cryptographic module of the receiving side RX may be inaccurate because of the possibility of losing the frames, so it is hard to find an accurate time for updating the key.
  • the subject that decides the time for updating a cryptographic key should be the cryptographic module of the transmitting side TX.
  • all messages that are transmitted between an OLT and an ONU may be encrypted or only some of the messages may be encrypted even when the security function is activated.
  • the security function it is referred as a denial of service (DoS) attack that a message that should be encrypted is received without being encrypted and that a message that should not be encrypted is received with being encrypted.
  • DoS denial of service
  • the receiving unit (RX) should match data encoding information with the before that the DoS sensing function is activated. Accordingly, when the transmitting unit (TX) confirms that the data encoding information of the receiving unit (RX) is identical with the transmitting unit (TX), the transmitting unit (TX) can activate the DoS sensing function.
  • FIG. 9 is a flowchart describing an operation for activating a cryptographic module including a DoS attack sensing function in the EPON according to a second embodiment of the present invention.
  • a cryptographic module (120R) is operated.
  • the receiving unit (RX) maintains the DoS sensing function in the off state, i.e., in the deactivated mode, and transmits a module encoding information message to the transmitting unit (TX) to notify that the current cryptographic module (120R) is in "on" state, i.e., in the activated mode.
  • the module encoding information message includes information showing that entire data encoding information is deactivated and information showing that the DoS sensing function is deactivated.
  • the data encoding information means on/off information in kinds of data to be encoded.
  • the data encoding information when the kinds of data is divided into a data message and a control message, a function that does not encode both of data message and control message although the cryptographic module is activated, but encodes a part of the messages is used.
  • the transmitting unit (TX) receiving the module encoding information message activates the cryptographic module (120T), and transmits the module encoding information message including the required data encoding information set up to be activated to the receiving unit (RX).
  • the receiving unit (RX) changes own organization information based on the data encoding information included in the module encoding information message and transmits the transmitted module encoding information message including the changed data encoding information to the transmitting unit (TX) again.
  • the transmitting unit (TX) checks whether the data encoding information transmitted from the receiving unit (RX) is the same as own data encoding information. When the data encoding information transmitted from the receiving unit (RX) is the same as own data encoding information, the transmitting unit (TX) activates the cryptographic module (120T). At step S606, the transmitting unit (TX) transmits the module encoding information message including information that the current cryptographic module (120T) is activated to the receiving unit (RX), encodes a frame and transmits the encoded frame to the receiving unit (RX).
  • the receiving unit (RX) checks the transmitted module encoding information message, changes the state of the DoS sensing function of the cryptographic module (102R) from “off into “on” and receives the encoded frame from the transmitting unit (TX).
  • FIGs. 10 and 11 are flowcharts describing an operation for deactivating the cryptographic module including the DoS attack sensing function in the EPON according to the second embodiment of the present invention.
  • transmitting unit (TX) should prevent that a non-encoded normal frame is removed due to the DoS function by deactivating the DoS sensing function of the receiving unit before deactivating the cryptographic module (120T).
  • the transmitting unit (TX) transmits a module encoding information message to the receiving unit (RX) at step S701.
  • the module encoding in- formation message includes information showing that the DoS sensing function is in a deactivated mode.
  • the receiving unit (RX) checks the transmitted module encoding information message and deactivates the DoS sensing function of the cryptographic module (120R).
  • the receiving unit (RX) transmits a module encoding information message showing that the DoS sensing function is deactivated to the transmitting unit (TX).
  • the transmitting unit (TX) changes the state of the cryptographic module (120T) from “on” to "off.
  • the transmitting unit (TX) transmits a module encoding information message notifying that own cryptographic module (120T) is deactivated to the receiving unit (RX).
  • the receiving unit (RX) deactivates the cryptographic module (120R).
  • the receiving unit (RX) when the receiving unit (RX) starts to deactivate a securing function, the receiving unit (RX) deactivates the DoS sensing function of own cryptographic module (120R) at step S711 and transmits a module encoding information message notifying that the DoS sensing function of the receiving unit (RX) is deactivated to the transmitting unit (TX) at step S712.
  • the transmitting unit (TX) changes the state of the cryptographic module (120T) from "on” to "off and transmits a module encoding information message showing that the cryptographic module of the transmitting unit (TX) is deactivated to the receiving unit (RX) at step S714.
  • the receiving unit (RX) changes the state of own cryptographic module (120R) from "on” to "off.
  • FlGs. 12 and 13 are flowcharts describing an operation for changing encoding data according to the second embodiment of the present invention.
  • the transmitting unit (TX) transmits a module encoding information message to the receiving unit (RX) at step S 801. Since it should be prevented that a non-encoded normal frame is removed due to the DoS function by deactivating the DoS sensing function of the receiving unit (RX), the module encoding information message includes information notifying that the DoS sensing function is in a deactivated mode.
  • the receiving unit (RX) receiving the module encoding information message deactivates the DoS sensing function.
  • the receiving unit (RX) transmits a module encoding information message including information notifying that the DoS sensing function is deactivated to the transmitting unit (TX).
  • the transmitting unit (TX) checks data encoding information of the transmitted message to discern the deactivated securing function from the process of changing the data encoding information.
  • the transmitting unit (TX) confirms that the data encoding information is the process of changing the data encoding information. Subsequently, the transmitting unit (TX) transmits a message having the data encoding information of the receiving unit (Rx) and transmitting unit (TX) at step S805.
  • the transmitting unit (TX) confirms that the data encoding information of the transmitting unit (TX) is identical with the data encoding information of the receiving unit (RX)
  • the receiving unit (RX) transmits a module encoding information message including information for activating the DoS sensing function to the receiving unit (RX) at step S 805.
  • the receiving unit (RX) receiving the module encoding information message activates the DoS sensing function at step S806.
  • the receiving unit (RX) when the receiving unit (RX) requests to change the encoding data, the receiving unit (RX) deactivates the DoS sensing function at step S811, and transmits a module encoding information message including information notifying that the DoS sensing function of the receiving unit (RX) is deactivated to the transmitting unit (TX) at step S812.
  • the transmitting unit (TX) checks the data encoding information of the transmitted message to discern the deactivated securing function from the process of changing the data encoding information.
  • the transmitting unit (TX) recognizes that the module encoding information of the transmitted message is the process of changing the data encoding information.
  • the transmitting unit (TX) transmits a module encoding information message including data encoding information of the transmitting unit (TX) and the receiving unit (RX).
  • the receiving unit (RX) checks whether own data encoding information is identical with the data encoding information of the transmitting unit (TX) and activates the DoS sensing function.
  • the present invention based on the embodiments suggests a method for deciding a time for activating/deactivating the transmitting unit (TX) and the receiving unit (RX) of the cryptographic module in case that the function for sensing the DoS attack in the EPON is used or not used.
  • TX transmitting unit
  • RX receiving unit
  • FIG. 14 shows a structure of an information key managing frame according to an embodiment of the present invention.
  • the protocol which applies into the embodiments of the present invention, is used in a data link layer, and uses a frame created and disappeared between the OLT and the ONU. That is, the key managing protocol uses a Media Access Control (MAC) frame created and disappeared in the EPON section to transmit information required for the OLT and the ONU.
  • MAC Media Access Control
  • the MAC frame used in the data link layer is formed as a frame proper to the key managing protocol
  • the MAC frame can have the same frame structure as the structure of FIG. 14.
  • the frame used in the key managing protocol is called a key managing frame.
  • Each field of the key managing frame has a meaning as shown in Table 1 below.
  • DA Destination Address
  • SA Received Address
  • Tx Transmissionting unit
  • Length and type informationSubtype 1 byte.
  • Subtype informationFlag 1 byte.
  • the DA should have a value of
  • the Subtype uses 4 among 4 to 10 except conventionally used values of 1 to 3. Since a minimum length of the MAC frame is 64 bytes, the Data/Pad should have a value of at least 43 bytes. A maximum of the MAC frame is 107 bytes. Although the maximum length of the MAC frame is 1522 bytes, the key managing frame can extend information by 107 bytes since the maximum length of the frame used in the slow protocol is limited by 128 bytes.
  • Table 2 describes bit information of a flag field and the set done bit is divided into "local” and "remote”.
  • the local set done designates the module encoding information of the OLT
  • the remote set done designates the module encoding information of the ONU.
  • bit value is O
  • encoding is not performed since the cryptographic module does not exist or the cryptographic module control information is not stably set up.
  • the key managing module can exist or does not exist.
  • the key managing module does not exist, there is no response to a request.
  • the bit value is filled with O and others are filled with null values.
  • the cryptographic module cannot be normally operated and is processed as "0".
  • a case that the bit value is 1 means a state that the cryptographic module can be operated since the cryptographic module exists, and the cryptographic module and the cryptographic module control information are stably set up. Therefore, when both of local set done and remote set done are 1, the cryptographic module can be operated.
  • the control done bit is divided into “local” and "remote”.
  • the local control done designates the module encoding information of the OLT
  • the remote control done designates the module encoding information of the ONU.
  • the bit is used to determine an operation state of the cryptographic module in the OLT and the ONU.
  • the OLT and the ONU changes the operation state of the current cryptographic module
  • the OLT and the ONU set up 1 as O and transmits the changed information. Accordingly, the receiving unit compares the transmitted information with own information and searches changed information or information to be changed.
  • a code field is 1 byte and can classify kinds of the key managing frames.
  • the key managing frame defined in the present invention is as shown in Table 3 below.
  • the frame shown in Table 3 is used to transmit own key managing module organization information and organization information of the cryptographic module to other key managing module in the key managing module.
  • the bit information of the organization information is as shown in Table 4 below and organizes a data field.
  • the organization information is transmitted only when the cryptographic module exists. When the cryptographic module does not exist, the operation state has a null value and organization information is filled with null values.
  • a channel designates a kind of the channels corresponding to the organization information.
  • GCM-AES of 802. IAE is used as an encoding algorithm in the cryptographic module of the EPON, an upward channel and a downward channel can be individually organized.
  • the operation state is a bit for checking whether the current cryptographic module exists or does not exist in a system, and checking whether the current cryptographic module is in operation. That is, when other information of the organization information have same synchronizations and set done bit information of the flag is 1, the deactivated mode can be changed into the activated mode.
  • the cryptographic module are a symmetric key algorithm except RSA.
  • the cryptographic module can have an individual module for operating a plurality of encoding algorithms in some cases.
  • a key allocating algorithm is a bit for transmitting a method for allocating a key in the key managing module and two algorithms are described as an example. However, when the encoding channel is respectively formed to allocate the key, the key allocating algorithm designates algorithm information used in the key allocation cryptographic module.
  • a Data frame an OAM frame, an MPCP frame, and a key managing frame
  • a DoS sensing function designates an operation state of the DoS sensing function.
  • the organization information setup of the OLT and the ONU using the information key managing frame ends before a key allocating process. Accordingly, when the receiving unit (RX) receiving the key verification checking message transmits the information key managing frame, the receiving unit (RX) do not change values of bits 2 to 7 of the organization information since the values of bits 2 to 7 are pre-set. Values of bits 0, 1, 8 to 12 of the organization information should be set up.
  • a channel index is located in front of the organization information and shows, on which channel the organization information is.
  • the securing function operated after allocating the key to apply the securing technology in the EPON is activated or deactivated, the securing function starts to be activated or deactivated not in an access point, but in the securing module of the transmitting unit (TX) for encoding a frame, i.e., in the cryptographic module. Accordingly, the securing function can be activated or deactivated without depending on the access point and it is possible to maintain an independent transmission/reception securing channel. Also, since the securing function is activated in connection with the key allocation of the transmitting unit (TX), securing function activating time of the transmitting unit (TX) can be acquired by transmitting one message.
  • the securing function when the securing function is changed from the activated mode to the deactivated mode, it can be prevented by applying the function for sensing the DoS state in the EPON that the transmitted frame is considered as the DoS and lost. Also, when the function for sensing the DoS state is used, the organization information of the data encoding information can be changed without disconnecting the securing channel.
  • outflow of the key managing frame to the outside of the EPON section can be prevented by using the message using the slow protocol in a technology for activating and deactivating the securing function in the embodiments of the present invention. Accordingly, the key managing frame can not be acquired in the outside of EPON and it is possible to maintain a safe environment. Also, since the slow protocol limits the number and a length of the frame, which can be transmitted for 1 second, by 10 and 128 bytes, respectively, the amount of the traffic in the EPON is not affected.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne un procédé et un dispositif destinés à contrôler la sécurité d'un canal de communication entre un OLT et une ONU, dans un système de contrôle de canal sûr d'un EPON constitué de l'OLT et de l'ONU, et présentant un module cryptographique, un module de gestion de clé, et un émetteur-récepteur pour transmettre ou recevoir des trames. Le procédé consiste à: a) distribuer une clé entre l'OLT et l'ONU; b) transférer la clé distribuée aux modules de cryptage de l'OLT et de l'ONU; c) utiliser la clé distribuée au niveau de de l'OLT ou de l'ONU pour activer un module de cryptage homologue et démarrer l'activation d'une fonction de sécurité; d) transmettre un message d'information du module de cryptage comprenant des informations sur l'état d'activation du module de cryptage homologue, du côté (émetteur) comportant le module de cryptage activé au côté opposé (côté récepteur); et e) activer un module de cryptage par vérification, côté récepteur, des informations sur l'état d'activation du module de cryptage.
PCT/KR2006/005199 2005-12-08 2006-12-05 Procede et dispositif destines a controler un canal de securite dans un epon WO2007066951A1 (fr)

Priority Applications (3)

Application Number Priority Date Filing Date Title
US12/083,178 US20090232313A1 (en) 2005-12-08 2006-12-05 Method and Device for Controlling Security Channel in Epon
JP2008533262A JP4739419B2 (ja) 2005-12-08 2006-12-05 イーサネットポンにおける保安チャネルの制御方法及び装置
CN2006800461196A CN101326756B (zh) 2005-12-08 2006-12-05 以太网无源光网络中控制安全信道的方法和设备

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
KR10-2005-0119201 2005-12-08
KR20050119201 2005-12-08
KR10-2006-0051129 2006-06-07
KR1020060051129A KR100737527B1 (ko) 2005-12-08 2006-06-07 이더넷 폰에서 보안 채널 제어 방법 및 장치

Publications (1)

Publication Number Publication Date
WO2007066951A1 true WO2007066951A1 (fr) 2007-06-14

Family

ID=38123051

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/KR2006/005199 WO2007066951A1 (fr) 2005-12-08 2006-12-05 Procede et dispositif destines a controler un canal de securite dans un epon

Country Status (1)

Country Link
WO (1) WO2007066951A1 (fr)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2209234A1 (fr) * 2009-01-14 2010-07-21 Nokia Siemens Networks OY Procédé et dispositif de traitement de données dans un réseau optique

Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20020110245A1 (en) * 2001-02-13 2002-08-15 Dumitru Gruia Method and system for synchronizing security keys in a point-to-multipoint passive optical network
US6848053B1 (en) * 1999-04-16 2005-01-25 Fujitsu Limited Optical network unit and optical line terminal

Patent Citations (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6848053B1 (en) * 1999-04-16 2005-01-25 Fujitsu Limited Optical network unit and optical line terminal
US20020110245A1 (en) * 2001-02-13 2002-08-15 Dumitru Gruia Method and system for synchronizing security keys in a point-to-multipoint passive optical network

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP2209234A1 (fr) * 2009-01-14 2010-07-21 Nokia Siemens Networks OY Procédé et dispositif de traitement de données dans un réseau optique

Similar Documents

Publication Publication Date Title
US9838363B2 (en) Authentication and initial key exchange in ethernet passive optical network over coaxial network
US8490159B2 (en) Method for increasing security in a passive optical network
US7305551B2 (en) Method of transmitting security data in an ethernet passive optical network system
US9032209B2 (en) Optical network terminal management control interface-based passive optical network security enhancement
US9698979B2 (en) QKD key management system
US8948401B2 (en) Method for filtering of abnormal ONT with same serial number in a GPON system
JP2009518932A (ja) Eponにおける保安用キー管理方法および保安チャンネル制御装置
US20090232313A1 (en) Method and Device for Controlling Security Channel in Epon
CN101073221B (zh) 在以太网无源光网络上分发密钥的方法
US8942378B2 (en) Method and device for encrypting multicast service in passive optical network system
US8311217B2 (en) Data transmission method and terminal
WO2006062345A1 (fr) Methode de distribution de cles sur epon
WO2007066951A1 (fr) Procede et dispositif destines a controler un canal de securite dans un epon
KR100606095B1 (ko) 수동 광가입자망 시스템에서 가입자 인증 후 암호화 키의전달 방법 및 장치
JP2014131264A (ja) 切替検出装置、宅側装置、光回線の暗号デバイス、局側装置、光通信システム、切替検出方法、およびプログラム
KR100809393B1 (ko) Epon에서의 키 분배 방법
JP2015133610A (ja) 局側装置、ponシステムおよび局側装置の制御方法

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 200680046119.6

Country of ref document: CN

121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref document number: 2008533262

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 12083178

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 06823906

Country of ref document: EP

Kind code of ref document: A1