WO2012097601A1 - Method, system and device for distributing safely a multicast key - Google Patents

Method, system and device for distributing safely a multicast key Download PDF

Info

Publication number
WO2012097601A1
WO2012097601A1 PCT/CN2011/079917 CN2011079917W WO2012097601A1 WO 2012097601 A1 WO2012097601 A1 WO 2012097601A1 CN 2011079917 W CN2011079917 W CN 2011079917W WO 2012097601 A1 WO2012097601 A1 WO 2012097601A1
Authority
WO
WIPO (PCT)
Prior art keywords
multicast
key
network unit
optical network
line terminal
Prior art date
Application number
PCT/CN2011/079917
Other languages
French (fr)
Chinese (zh)
Inventor
李琴
铁满霞
胡亚楠
杜志强
王轲
Original Assignee
西安西电捷通无线网络通信股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 西安西电捷通无线网络通信股份有限公司 filed Critical 西安西电捷通无线网络通信股份有限公司
Publication of WO2012097601A1 publication Critical patent/WO2012097601A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/0822Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) using key encryption key
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention belongs to the field of network security, and relates to a method, system and device for securely distributing a multicast key.
  • EPON Error Network Passive Optical Network
  • EPON is a new type of optical access network technology. It realizes integrated data, voice and video access through a single fiber access system, and has good performance. Economic.
  • EPON is an access network technology that combines the advantages of Ethernet and passive optical network PON. It is a medium for media sharing.
  • the EPON equipment at the central office is called Optical Network Terminal (OLT); the system at the user end is Called the Optical Network Unit (ONU).
  • OLT Optical Network Terminal
  • ONU Optical Network Unit
  • the uplink data transmission of the ONU to the OLT is performed according to the principle of time division multiplexing.
  • the data of each frame is scheduled to be transmitted in a specific time slot, and the uplink data does not reach other ONUs; but the downlink data transmitted from the OLT to the ONU
  • the transmission is broadcast, and the passive optical splitter simultaneously transmits the data packet to all ONUs.
  • the downlink channel of the EPON system adopts the broadcast mode. When the ONU is in the promiscuous mode, all the terminal stations that are intentionally received can receive the downlink transmission information.
  • multicast service packets from the OLT to the ONU are sent by broadcast, and the ONU performs selective reception.
  • the OLT node has two modes for processing multicast services, one is single-copy multicast; the other is multi-copy multicast.
  • the single-copy multicast mode can effectively save the bandwidth between the OLT and the ONU.
  • the OLT does not need to send a unicast packet to the ONUs belonging to the multicast service group. Instead, it sends a multicast packet.
  • the ONU of the multicast service group receives the packet, but does not prevent the ONU that does not belong to the multicast group from receiving the multicast service packet.
  • the OLT node In the multi-copy multicast mode, the OLT node generates one for each ONU belonging to the multicast service group.
  • the multicast service packet the ONU that is not in the multicast service group in the promiscuous mode can still receive the multicast service packet; even if the OLT sends the multicast service packet to each In the ONU, the encryption is used to ensure that the multicast service group is in the promiscuous mode.
  • the ONU can receive but cannot parse the multicast service packet, there is still a problem of wasting bandwidth between the OLT and the ONU.
  • the present invention provides a method, system and device for securely distributing a multicast key.
  • the invention provides a method for securely distributing a multicast key:
  • the method includes the following steps:
  • the optical network unit ONU establishes a unicast key with the optical line terminal OLT USK;
  • the optical network unit ONU sends a multicast key request packet to the optical line terminal OLT, and the packet includes: a multicast service identifier list information List MSID field and a random number N 0NU field of the optical network unit ONU; wherein: the optical network unit ONU Random number N 0NU field: used to identify the freshness of the multicast key request packet; multicast service identification list information List MSID field: contains one or more multicast service identifiers MSID, which is the group that the optical network unit ONU requests to distribute a multicast service identifier MSID list corresponding to the broadcast key;
  • the optical line terminal OLT After receiving the multicast key request packet from the optical network unit ONU, the optical line terminal OLT constructs a multicast key advertisement packet and sends it to the optical network unit ONU; the optical line terminal OLT advertises the packet using the optical line through the multicast key.
  • the unicast key USK between the terminal OLT and the optical network unit ONU sets the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSID field in the form of an advertisement master key data list List E (NMK ). Secret notification to the optical network unit ONU;
  • the optical network unit ONU After receiving the multicast key advertisement packet from the optical line terminal OLT, the optical network unit ONU decrypts or decrypts and expands the multicast key corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field. MSK;
  • the present invention also includes a secure distribution system for a multicast key, the multicast key distribution system comprising: an optical line terminal OLT and an optical network unit ONU, the optical network unit ONU being in an optical line
  • the multicast key request packet is sent to the optical line terminal OLT; after the optical line terminal OLT receives the multicast key request packet, constructs the multicast.
  • the key advertisement packet sends the corresponding multicast service announcement master key NMK list to the optical network unit ONU in cipher text; after receiving the multicast key advertisement packet, the optical network unit ONU decrypts or decrypts and expands to obtain a corresponding The multicast key MSK of the multicast service.
  • the present invention also includes an optical line termination OLT, the optical line termination OLT comprising:
  • a unicast key establishment module configured to establish a unicast key with the ONU of the optical network unit USK;
  • a multicast key distribution module configured to receive a multicast key request packet sent by the optical network unit ONU, and extract the multicast service identifier list information corresponding to the multicast key requested by the optical network unit ONU in the multicast key request packet;
  • the multicast advertisement master key NMK corresponding to each multicast service identifier is encrypted with a unicast key between the optical network unit ONU, and the multicast key advertisement packet is constructed and sent to the optical network unit ONU;
  • the module secretly advertises the multicast advertisement master key NMK list corresponding to the multicast service identifier list requested by the optical network unit ONU to the optical network unit ONU through the multicast key advertisement packet.
  • the present invention also includes an optical network unit ONU, the optical network unit ONU includes: a unicast key establishment module, configured to establish a unicast key USK with the optical line terminal OLT;
  • a multicast key requesting module configured to send a multicast key request packet to the optical line terminal OLT; the multicast key requesting module requests the optical network unit ONU to obtain a group corresponding to the multicast key by using the multicast key request packet
  • the broadcast service identification list information is sent to the optical line terminal OLT;
  • a multicast key response module configured to receive a multicast key advertisement packet sent by the optical line terminal OLT, and decrypt the multicast advertisement master key NMK list secretly advertised in the multicast key advertisement packet, and notify each multicast advertisement
  • the key NMK is directly used as a multicast key MSK or a unidirectional hash algorithm for each multicast advertisement master key NMK to obtain a corresponding multicast key MSK.
  • Different multicast keys can be assigned to multiple multicast service groups supported by EPON products; ensure that multicast message downlink data is transmitted in broadcast mode in EPON, and only optical network with corresponding multicast key MSK
  • the unit ONU can receive the correct information and obtain the plaintext information of the multicast message.
  • the optical line terminal OLT does not need to verify the integrity check for each multicast key, and reduce the density.
  • Random numbers are carried in the multicast key request packet, the multicast key advertisement packet, and the multicast key advertisement packet, which ensures the freshness of the message during the multicast key distribution process;
  • the optical network unit ONU can be implemented in one process.
  • the ONU requests the optical line terminal OLT to acquire a multicast key corresponding to multiple multicast services.
  • FIG. 1 is a schematic diagram of a process of a multicast key distribution process without an acknowledgment packet according to the present invention
  • FIG. 2 is a schematic diagram of a process of a multicast key distribution process with an acknowledgment packet according to the present invention
  • FIG. 3 is a group provided by the present invention; Schematic diagram of a secure distribution method of a multicast key corresponding to a secure distribution method of a multicast key;
  • FIG. 4 is a schematic diagram of an optical line terminal OLT according to a method for securely distributing a multicast key according to the present invention
  • FIG. 5 is a schematic diagram of an ONU of an optical network unit corresponding to a method for securely distributing a multicast key according to the present invention.
  • the present invention provides a method for securely distributing a multicast key, the method comprising the following steps: 1) The optical network unit ONU establishes a unicast key USK with the optical line terminal OLT; in a preferred embodiment of the invention, both parties derive a key encryption key KEK and an integrity check key according to the unicast key USK MAK;
  • the optical network unit ONU sends a multicast key request packet to the optical line terminal OLT, where the packet includes: a multicast service identifier list information List MSID field and a random number N 0NU field of the optical network unit ONU;
  • the random number of the optical network unit ONU N 0NU field used to identify the freshness of the multicast key request packet
  • Multicast service identification list information List MSID field Contains one or more multicast service identifiers
  • the MSID is a multicast service identifier MSID list corresponding to the multicast key that the ONU requests to distribute.
  • the multicast service identifier MSID may be a multicast logical link identifier LLID.
  • the optical line terminal OLT After receiving the multicast key request packet from the optical network unit ONU, the optical line terminal OLT constructs a multicast key advertisement packet and sends it to the optical network unit ONU; the optical line terminal OLT advertises the packet using the optical line through the multicast key.
  • the unicast key USK between the terminal OLT and the optical network unit ONU sets the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSro field in the form of an advertisement master key data list List E (NMK ). Secret notification to the optical network unit ONU;
  • the optical network unit ONU After receiving the multicast key advertisement packet from the optical line terminal OLT, the optical network unit ONU decrypts or decrypts and expands the multicast key corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field. MSK.
  • step 3 If the optical line terminal OLT local policy does not require the optical network unit ONU to feed back the multicast key confirmation packet (see Figure 1), the specific processing procedure of step 3) is as follows:
  • the optical line terminal OLT locally searches for the multicast service identifier list information.
  • the multicast advertisement master key NMK corresponding to each multicast service identifier MSID in the MSro field constructs a multicast advertisement master key list ListNMK; if there is no List MSID field locally
  • a multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier is generated as a multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and the multicast advertisement master key is locally saved.
  • the optical line termination OLT utilizes a unicast key USK with the optical network unit ONU (in a preferred embodiment of the invention, the optical line termination OLT utilizes a key encryption key derived from the unicast key USK) KEK) encrypting the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSID field to obtain an advertisement master key data list List E(N MK);
  • an OLT configured multicast key announcement packet comprising a multicast service identifier list List MSro information field, the optical network unit ONU N 0NU random number field, a data announcement master key list List E (NMK), And an integrity check MIC1 field; wherein the MIC1 field is a unicast key USK between the optical line terminal OLT and the optical network unit ONU (in a preferred embodiment of the invention, the optical line terminal OLT utilizes according to unicast The integrity check key MAK derived by the key USK) the hash value calculated by all the fields except the MIC1 field in the multicast key advertisement packet;
  • the OLT sends the constructed multicast key advertisement packet to the optical network unit ONU;
  • step 3 If the optical line terminal OLT local policy requires the optical network unit ONU to feed back the multicast key confirmation packet (as shown in Figure 2), the specific processing procedure in step 3) is as follows:
  • the optical line terminal OLT locally searches for the multicast service identification list information in the MSID field.
  • the multicast advertisement master key NMK corresponding to each multicast service identifier MSID constructs a multicast advertisement master key list ListNMK; if there is no List MSro field locally
  • a multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier is generated as a multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and the multicast advertisement master key is locally saved.
  • NMK
  • the optical line termination OLT utilizes a unicast key USK with the optical network unit ONU (in a preferred embodiment of the invention, the optical line termination OLT utilizes a key encryption key derived from the unicast key USK) KEK) encrypting the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSro field to obtain an advertisement master key data list List E(N MK);
  • Optical line terminal The OLT locally generates a random number as the random number NOLT field of the optical line terminal OLT, which is used to identify the freshness of the key announcement;
  • the optical line terminal OLT constructs a multicast key advertisement packet, which includes a multicast service identifier list information List MSID field, a random number NOLT field of the optical line terminal OLT, and an optical network unit ONU
  • the MIC1 field is an optical line termination OLT that uses the integrity check key MAK derived from the unicast key USK to calculate all fields except the MIC2 field in the multicast key advertisement packet.
  • the resulting hash value is an optical line termination OLT that uses the integrity check key MAK derived from the unicast key USK to calculate all fields except the MIC2 field in the multicast key advertisement packet.
  • the OLT sends the constructed multicast key announcement packet to the optical network unit ONU.
  • step 4 If the optical network unit ONU does not need to send a multicast key confirmation packet after receiving the multicast key advertisement packet (as shown in Figure 1), the specific processing procedure of step 4) is as follows:
  • the optical network unit ONU extracts the N 0NU field in the multicast key advertisement packet and the multicast service identifier list information List MSID field, and compares whether the two fields are consistent with corresponding fields in the previously generated multicast key request packet. If yes, go to step 4.2); otherwise, discard the packet;
  • the optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes an integrity check key derived from the unicast key USK) MAK) Verifies the correctness of the MIC1 field in the received multicast key advertisement packet. If yes, perform step 4.3); otherwise, discard the packet;
  • the optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes a key encryption key KEK derived from the unicast key USK) Decrypting the advertised master key data list List E (NMK ) field, and then obtaining the multicast advertised master key NMK corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field, according to the system policy optical network unit
  • the ONU uses the one-way hash algorithm to directly forward the multicast announcement master key NMK as the multicast key MSK or the multicast advertisement master key NMK to obtain the multicast key MSK.
  • step 4 If the ONU of the optical network unit needs to send a multicast key to confirm the packet after receiving the multicast key advertisement packet (as shown in Figure 2), the specific processing procedure of step 4) is as follows:
  • the optical network unit ONU extracts the N 0NU field in the multicast key advertisement packet and the multicast service identifier list information List MSID field, and compares the two fields with the previously generated multicast key request packet. Whether the corresponding fields in the field are consistent, if they are consistent; then perform step 4.2); otherwise, discard the packet;
  • the optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes an integrity check key derived from the unicast key USK) MAK) verifying the correctness of the MIC2 field in the received multicast key advertisement packet, if yes, performing step 4.3); otherwise, discarding the packet;
  • the optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes a key encryption key KEK derived from the unicast key USK) Decrypting the advertised master key data list List E (NMK ) field, and then obtaining the multicast advertised master key NMK corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSID field, according to the system policy optical network unit The ONU uses the one-way hash algorithm to directly forward the multicast announcement master key NMK as the multicast key MSK or the multicast advertisement master key NMK to obtain the multicast key MSK.
  • KEK key encryption key derived from the unicast key USK
  • Step 4) further includes steps 5) and 6):
  • ONU sends a multicast key confirmation packet to the optical line terminal OLT.
  • Step 5 The specific processing is as follows:
  • the optical network unit ONU constructs a multicast key acknowledgement packet, the packet comprising a multicast service identifier list information List MSID field, a random number N 0IjT field of the optical line terminal OLT, and an integrity check MIC3 field; wherein the MIC3 field is light
  • the network element ONU utilizes a unicast key USK with the optical line termination OLT (in a preferred embodiment of the invention, the MIC1 field is an integrity check key derived by the optical line termination OLT using the unicast key USK) MAK) the hash value calculated in all the fields except the MIC3 field in the multicast key confirmation packet;
  • Optical network unit The ONU sends the constructed multicast key acknowledgement packet to the optical line terminal OLT.
  • the optical line terminal OLT receives the multicast key confirmation packet from the optical network unit ONU, and confirms that the optical network unit ONU receives the multicast key, and completes the distribution process of the multicast key.
  • the specific processing of step 6) is as follows: 6.1) The optical line terminal OLT extracts the N 0IjT field in the multicast key acknowledgement packet and the multicast service identifier list information List MSID field, and compares whether the two fields are consistent with corresponding fields in the previously generated multicast key advertisement packet. If yes, go to step 6.2); otherwise, discard the packet;
  • the optical line terminal OLT verifies the correctness of the MIC3 field in the received multicast key by using the unicast integrity check key with the optical network unit ONU, and if correct, confirms the optical network unit ONU Receive the multicast key and complete the secure distribution process of the multicast key; otherwise, discard the packet.
  • the multicast message sent by the optical line terminal OLT to the optical network unit ONU corresponding to the multicast service identifier MSID is transmitted by using the established multicast key MS P; the optical network unit ONU receives Then, the plaintext information of the multicast message is obtained by using the corresponding established multicast key MSK.
  • the multicast key distribution system includes an optical line terminal OLT 301 and an optical network unit.
  • the ONU 302 after establishing the unicast key with the optical line terminal OLT 301, the optical network unit ONU 302 sends a multicast key request packet to the optical line terminal OLT 301 when the multicast key needs to be requested;
  • the line terminal OLT 301 constructs the multicast key advertisement packet to send the corresponding multicast service announcement master key NMK list to the optical network unit ONU 302 in cipher text;
  • the optical network unit After receiving the multicast key advertisement packet, the ONU 302 decrypts or decrypts and expands the multicast key MSK of the corresponding multicast service; in the secure distribution system of the multicast key, the optical network unit ONU 302 optionally constructs the multicast
  • the key confirmation packet is sent to the optical line terminal OLT
  • the present invention also provides an optical line terminal OLT corresponding to the foregoing method for securely distributing a multicast key.
  • the optical line terminal OLT includes:
  • the unicast key establishment module 401 is configured to establish a unicast key with the optical network unit ONU, USK;
  • the multicast key distribution module 402 is configured to receive a multicast key request packet sent by the optical network unit ONU, and extract a multicast industry corresponding to the multicast key requested by the optical network unit ONU in the multicast key request packet.
  • the identifier information of the multicast network is encrypted by using the unicast key between the multicast public key and the ONU of the optical network unit, and the multicast key advertisement packet is sent to the optical network unit ONU;
  • the multicast key distribution module secretly advertises the multicast advertisement master key NMK list corresponding to the multicast service identifier list requested by the optical network unit ONU to the optical network unit ONU through the multicast key advertisement packet;
  • the optical line terminal OLT further includes a multicast key confirmation module 403, configured to receive the multicast key confirmation packet sent by the optical network unit ONU, and confirm that the optical network unit ONU has received the optical line terminal OLT multicast key distribution. a list of multicast announcement master keys NMK secretly advertised by the module;
  • the present invention further provides an optical network unit ONU corresponding to the foregoing method for securely distributing a multicast key.
  • the optical network unit ONU includes:
  • a unicast key establishment module 501 configured to establish a unicast key with the optical line terminal OLT USK;
  • the multicast key requesting module 502 is configured to send a multicast key request packet to the optical line terminal OLT.
  • the multicast key requesting module needs to obtain the multicast key required by the optical network unit ONU through the multicast key request packet.
  • the multicast service identification list information is sent to the optical line terminal OLT;
  • the multicast key response module 503 is configured to receive a multicast key advertisement packet sent by the optical line terminal OLT, decrypt the multicast advertisement master key NMK list secretly advertised in the multicast key advertisement packet, and notify each multicast
  • the master key NMK is directly used as a multicast key MSK or a unidirectional hash algorithm for each multicast advertisement master key NMK to obtain a corresponding multicast key MSK;
  • the multicast key response module 503 of the ONU of the optical network unit may further send a multicast key confirmation packet to the optical line terminal OLT, and notify the optical line terminal that the optical network unit ONU has received the group secretly notified by the optical line terminal OLT. Broadcast the master key NMK list.
  • different multicast keys can be assigned to multiple multicast service groups supported by the EPON product; ensuring that the downlink data of the multicast message is transmitted in the EPON, and only has the corresponding group.
  • the optical network unit ONU of the broadcast key MSK can receive the correct information and obtain the plaintext information of the multicast message.
  • the invention fully utilizes the unidirectionality of the EPON uplink data. For the multicast key request packet, the integrity check is not calculated, and the optical line terminal OLT does not need to request the verification integrity check for each multicast key, and reduce the density. The computational complexity of key distribution.
  • the invention requests multicast and multicast in multicast key
  • Both the key advertisement packet and the multicast key advertisement packet carry a random number, which ensures the freshness of the message during the multicast key distribution process.
  • the present invention can be used in the form of a list to complete the optical network unit ONU requesting the optical line terminal OLT to obtain a multicast key corresponding to multiple multicast services in one process.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

A method for distributing safely a multicast key, which comprises: 1) an Optical Network Unit (ONU) establishes a Unicast Key (USK) with an Optical Line Terminal (OLT); 2) the ONU transmits a multicast key request message to the OLT; 3)the OLT constructs a multicast key notification message and transmits it to the ONU; 4) the ONU performs decryption, or decryption and extension, to obtain a Multicast Key (MSK) corresponding to each multicast service identifier (MSID) in a field of the multicast service identifier list information ListMSID. The method overcomes the defects that the bandwidth is wasted when a multi-copy mode is utilized, and the bandwidth is saved but unsafe when a single-copy mode is utilized in the downlink direction multicast service of an Ethernet Passive Optical Network (EPON) in the prior art.Also disclosed in the present invention are a system for distributing safely the multicast key, an OLT and an ONU corresponding to the method.

Description

一种组播密钥的安全分发方法、 系统及设备 本申请要求于 2011年 1月 20日提交中国专利局、申请号为 201110023141.1 发明名称为"一种组播密钥的安全分发方法、系统及设备"的中国专利申请的优 先权, 其全部内容通过引用结合在本申请中。  The present invention claims to be submitted to the Chinese Patent Office on January 20, 2011, and the application number is 201110023141.1. The invention name is "a multicast key security distribution method and system and The priority of the Chinese Patent Application, the entire disclosure of which is incorporated herein by reference.
技术领域 Technical field
本发明属于网络安全领域, 涉及一种组播密钥的安全分发方法、 系统及设 备。  The present invention belongs to the field of network security, and relates to a method, system and device for securely distributing a multicast key.
背景技术 Background technique
以太网无源光网络 EPON(Ethemet Passive Optical Network)是一种新型的 光纤接入网技术, 它通过一个单一的光纤接入系统, 实现数据、语音及视频的 综合业务接入, 并具有良好的经济性。  EPON (Ethernet Passive Optical Network) is a new type of optical access network technology. It realizes integrated data, voice and video access through a single fiber access system, and has good performance. Economic.
EPON是一种融合了以太网和无源光网络 PON优点的接入网技术, 是一种 媒质共享的网络, 在局端的 EPON设备叫光线路终端 OLT ( Optical Network Terminal );在用户端的系统则叫光网络单元 ONU ( Optical Network Unit )。 ONU 向 OLT的上行数据传输, 按时分复用原理进行, 每一帧的数据都会被安排在特 定的时隙中传输, 且上行数据不会到达其它 ONU; 但被从 OLT传送到 ONU的 下行数据传输是广播进行的, 无源光分路器同时将数据包传送给所有的 ONU。 EPON系统下行信道采用广播方式, 当 ONU处于混杂模式下, 凡是有意接收的 终端站点都能接收其下行传输信息。  EPON is an access network technology that combines the advantages of Ethernet and passive optical network PON. It is a medium for media sharing. The EPON equipment at the central office is called Optical Network Terminal (OLT); the system at the user end is Called the Optical Network Unit (ONU). The uplink data transmission of the ONU to the OLT is performed according to the principle of time division multiplexing. The data of each frame is scheduled to be transmitted in a specific time slot, and the uplink data does not reach other ONUs; but the downlink data transmitted from the OLT to the ONU The transmission is broadcast, and the passive optical splitter simultaneously transmits the data packet to all ONUs. The downlink channel of the EPON system adopts the broadcast mode. When the ONU is in the promiscuous mode, all the terminal stations that are intentionally received can receive the downlink transmission information.
在 EPON网络中, 从 OLT到 ONU的组播业务报文采用广播发送, ONU进行 选择接收。 OLT节点对于组播业务的处理有两种模式, 一种是单拷贝组播; 另 一种是多拷贝组播。单拷贝组播模式,可以有效的节省 OLT和 ONU之间的带宽, 在 OLT上不需要给属于该组播业务组的 ONU分别发送单播包 ,而是发送一份组 播包, 由属于该组播业务组的 ONU去接收, 但是不能阻止不属于该组播组的 ONU接收该组播业务报文; 多拷贝组播模式, OLT节点给属于该组播业务组的 每个 ONU分别发生一份组播业务报文, 处于混杂模式的非该组播业务组的 ONU仍然可以接收到该组播业务报文;即使 OLT分别发送组播业务报文给每个 ONU时, 采用加密的方式进行保护, 确保处于混杂模式的非该组播业务组的In the EPON network, multicast service packets from the OLT to the ONU are sent by broadcast, and the ONU performs selective reception. The OLT node has two modes for processing multicast services, one is single-copy multicast; the other is multi-copy multicast. The single-copy multicast mode can effectively save the bandwidth between the OLT and the ONU. The OLT does not need to send a unicast packet to the ONUs belonging to the multicast service group. Instead, it sends a multicast packet. The ONU of the multicast service group receives the packet, but does not prevent the ONU that does not belong to the multicast group from receiving the multicast service packet. In the multi-copy multicast mode, the OLT node generates one for each ONU belonging to the multicast service group. The multicast service packet, the ONU that is not in the multicast service group in the promiscuous mode can still receive the multicast service packet; even if the OLT sends the multicast service packet to each In the ONU, the encryption is used to ensure that the multicast service group is in the promiscuous mode.
ONU虽然可以接收但无法解析该组播业务报文, 但这依然存在大量浪费 OLT 和 ONU之间的带宽的问题。 Although the ONU can receive but cannot parse the multicast service packet, there is still a problem of wasting bandwidth between the OLT and the ONU.
因此, 需要一种有效的方法, 以克服现有技术中 EPON网络下行方向组播 业务采用多拷贝模式浪费带宽, 采用单拷贝模式节省带宽但不安全的缺点。 发明内容  Therefore, an effective method is needed to overcome the shortcomings of the prior art in which the multicast service in the downlink direction of the EPON network wastes bandwidth in the multi-copy mode, and the single-copy mode saves bandwidth but is not secure. Summary of the invention
为了解决背景技术中存在的上述技术问题,本发明提供了一种组播密钥的 安全分发方法、 系统及设备。  In order to solve the above technical problems in the prior art, the present invention provides a method, system and device for securely distributing a multicast key.
本发明提供了一种组播密钥的安全分发方法:  The invention provides a method for securely distributing a multicast key:
该方法包括以下步骤:  The method includes the following steps:
1 )光网络单元 ONU与光线路终端 OLT建立单播密钥 USK;  1) The optical network unit ONU establishes a unicast key with the optical line terminal OLT USK;
2 )光网络单元 ONU向光线路终端 OLT发送组播密钥请求分组, 该分组包 括: 组播业务标识列表信息 ListMSID字段以及光网络单元 ONU的随机数 N0NU字 段; 其中: 光网络单元 ONU的随机数 N0NU字段: 用于标识组播密钥请求分组 的新鲜性; 组播业务标识列表信息 ListMSID字段: 包含一个或多个组播业务标 识 MSID, 是光网络单元 ONU请求分发的组播密钥对应的组播业务标识 MSID 列表; 2) The optical network unit ONU sends a multicast key request packet to the optical line terminal OLT, and the packet includes: a multicast service identifier list information List MSID field and a random number N 0NU field of the optical network unit ONU; wherein: the optical network unit ONU Random number N 0NU field: used to identify the freshness of the multicast key request packet; multicast service identification list information List MSID field: contains one or more multicast service identifiers MSID, which is the group that the optical network unit ONU requests to distribute a multicast service identifier MSID list corresponding to the broadcast key;
3 )光线路终端 OLT收到来自光网络单元 ONU的组播密钥请求分组后, 构 建组播密钥通告分组发送给光网络单元 ONU;光线路终端 OLT通过组播密钥通 告分组利用光线路终端 OLT与该光网络单元 ONU之间的单播密钥 USK将组播 业务标识列表信息 ListMSID字段对应的组播通告主密钥列表 ListNMK以通告主密 钥数据列表 ListE(NMK) 的形式秘密通告给光网络单元 ONU; 3) After receiving the multicast key request packet from the optical network unit ONU, the optical line terminal OLT constructs a multicast key advertisement packet and sends it to the optical network unit ONU; the optical line terminal OLT advertises the packet using the optical line through the multicast key. The unicast key USK between the terminal OLT and the optical network unit ONU sets the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSID field in the form of an advertisement master key data list List E (NMK ). Secret notification to the optical network unit ONU;
4 )光网络单元 ONU收到来自光线路终端 OLT的组播密钥通告分组后, 解 密或解密并扩展得到组播业务标识列表信息 ListMSro字段中各组播业务标识 MSID对应的组播密钥 MSK; 4) After receiving the multicast key advertisement packet from the optical line terminal OLT, the optical network unit ONU decrypts or decrypts and expands the multicast key corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field. MSK;
本发明还包括一种组播密钥的安全分发系统 ,所述的组播密钥分发系统包 括: 光线路终端 OLT以及光网络单元 ONU, 所述光网络单元 ONU在与光线路 终端 OLT建立单播密钥后, 在需要请求组播密钥时, 发送组播密钥请求分组给 光线路终端 OLT; 所述光线路终端 OLT收到组播密钥请求分组后, 构造组播密 钥通告分组将对应的组播业务通告主密钥 NMK列表以密文形式发送给光网络 单元 ONU; 所述光网络单元 ONU收到组播密钥通告分组后, 解密或解密并扩 展得到对应的组播业务的组播密钥 MSK。 The present invention also includes a secure distribution system for a multicast key, the multicast key distribution system comprising: an optical line terminal OLT and an optical network unit ONU, the optical network unit ONU being in an optical line After the terminal OLT establishes the unicast key, when the multicast key needs to be requested, the multicast key request packet is sent to the optical line terminal OLT; after the optical line terminal OLT receives the multicast key request packet, constructs the multicast. The key advertisement packet sends the corresponding multicast service announcement master key NMK list to the optical network unit ONU in cipher text; after receiving the multicast key advertisement packet, the optical network unit ONU decrypts or decrypts and expands to obtain a corresponding The multicast key MSK of the multicast service.
本发明还包括一种光线路终端 OLT, 所述光线路终端 OLT包含:  The present invention also includes an optical line termination OLT, the optical line termination OLT comprising:
单播密钥建立模块, 用于与光网络单元 ONU建立单播密钥 USK;  a unicast key establishment module, configured to establish a unicast key with the ONU of the optical network unit USK;
组播密钥分发模块, 用于接收光网络单元 ONU发送的组播密钥请求分组, 提取组播密钥请求分组中光网络单元 ONU请求的组播密钥对应的组播业务标 识列表信息; 将各组播业务标识对应的组播通告主密钥 NMK使用与光网络单 元 ONU之间的单播密钥进行加密, 构造组播密钥通告分组发送给光网络单元 ONU; 组播密钥分发模块通过组播密钥通告分组将光网络单元 ONU请求的组 播业务标识列表对应的组播通告主密钥 NMK列表秘密通告给光网络单元 ONU。  a multicast key distribution module, configured to receive a multicast key request packet sent by the optical network unit ONU, and extract the multicast service identifier list information corresponding to the multicast key requested by the optical network unit ONU in the multicast key request packet; The multicast advertisement master key NMK corresponding to each multicast service identifier is encrypted with a unicast key between the optical network unit ONU, and the multicast key advertisement packet is constructed and sent to the optical network unit ONU; The module secretly advertises the multicast advertisement master key NMK list corresponding to the multicast service identifier list requested by the optical network unit ONU to the optical network unit ONU through the multicast key advertisement packet.
本发明还包括一种光网络单元 ONU, 所述光网络单元 ONU包含: 单播密钥建立模块, 用于与光线路终端 OLT建立单播密钥 USK;  The present invention also includes an optical network unit ONU, the optical network unit ONU includes: a unicast key establishment module, configured to establish a unicast key USK with the optical line terminal OLT;
组播密钥请求模块, 用于发送组播密钥请求分组给光线路终端 OLT; 组播 密钥请求模块通过组播密钥请求分组将光网络单元 ONU需要得到与组播密钥 对应的组播业务标识列表信息告知光线路终端 OLT;  a multicast key requesting module, configured to send a multicast key request packet to the optical line terminal OLT; the multicast key requesting module requests the optical network unit ONU to obtain a group corresponding to the multicast key by using the multicast key request packet The broadcast service identification list information is sent to the optical line terminal OLT;
组播密钥响应模块, 用于接收光线路终端 OLT发送的组播密钥通告分组, 解密得到组播密钥通告分组中秘密通告的组播通告主密钥 NMK列表, 将各组 播通告主密钥 NMK直接作为组播密钥 MSK或对各组播通告主密钥 NMK使用 单向 hash算法进行扩展得到对应的组播密钥 MSK。  a multicast key response module, configured to receive a multicast key advertisement packet sent by the optical line terminal OLT, and decrypt the multicast advertisement master key NMK list secretly advertised in the multicast key advertisement packet, and notify each multicast advertisement The key NMK is directly used as a multicast key MSK or a unidirectional hash algorithm for each multicast advertisement master key NMK to obtain a corresponding multicast key MSK.
本发明的优点是:  The advantages of the invention are:
1 )可以为 EPON产品所支持的多个组播业务组分配不同的组播密钥;确保 组播消息下行数据尽管在 EPON中以广播形式传输, 也只有拥有对应组播密钥 MSK的光网络单元 ONU才能正确接收, 获得组播消息的明文信息; 2 )充分利用了 EPON上行数据的单向性, 对于组播密钥请求分组, 不计算 完整性校验, 光线路终端 OLT不需要对每一个组播密钥请求验证完整性校验, 降低密钥分发的计算复杂度; 1) Different multicast keys can be assigned to multiple multicast service groups supported by EPON products; ensure that multicast message downlink data is transmitted in broadcast mode in EPON, and only optical network with corresponding multicast key MSK The unit ONU can receive the correct information and obtain the plaintext information of the multicast message. 2) Make full use of the unidirectionality of the EPON uplink data. For the multicast key request packet, the integrity check is not calculated. The optical line terminal OLT does not need to verify the integrity check for each multicast key, and reduce the density. The computational complexity of key distribution;
3 )在组播密钥请求分组、 组播密钥通告分组以及组播密钥通告分组中均 携带了随机数, 保证了组播密钥分发过程中消息的新鲜性;  3) Random numbers are carried in the multicast key request packet, the multicast key advertisement packet, and the multicast key advertisement packet, which ensures the freshness of the message during the multicast key distribution process;
4 ) 可以在一个过程中实现光网络单元 ONU向光线路终端 OLT请求获取多 个组播业务对应的组播密钥。  4) The optical network unit ONU can be implemented in one process. The ONU requests the optical line terminal OLT to acquire a multicast key corresponding to multiple multicast services.
附图说明 DRAWINGS
为了更清楚地说明本发明实施例和现有技术的技术方案,下面对实施例和 现有技术中所需要使用的附图作简单地介绍,显而易见地, 下面描述中的附图 仅仅是本发明的一些实施例,对于本领域普通技术人员来讲,在不付出创造性 劳动的前提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the embodiments of the present invention and the prior art, the following description of the embodiments and the drawings used in the prior art will be briefly described. It is obvious that the drawings in the following description are only Some embodiments of the invention may also be used to obtain other figures from these figures without departing from the art.
图 1为本发明所提供不带确认分组的组播密钥分发过程框架示意图; 图 2为本发明所提供带确认分组的组播密钥分发过程框架示意图; 图 3为本发明所提供的组播密钥的安全分发方法相应的组播密钥的安全分 发系统示意图;  1 is a schematic diagram of a process of a multicast key distribution process without an acknowledgment packet according to the present invention; FIG. 2 is a schematic diagram of a process of a multicast key distribution process with an acknowledgment packet according to the present invention; FIG. 3 is a group provided by the present invention; Schematic diagram of a secure distribution method of a multicast key corresponding to a secure distribution method of a multicast key;
图 4为本发明所提供的组播密钥的安全分发方法相应的光线路终端 OLT示 意图;  4 is a schematic diagram of an optical line terminal OLT according to a method for securely distributing a multicast key according to the present invention;
图 5为本发明所提供的组播密钥的安全分发方法相应的光网络单元 ONU 示意图。  FIG. 5 is a schematic diagram of an ONU of an optical network unit corresponding to a method for securely distributing a multicast key according to the present invention.
具体实施方式 detailed description
为使本发明的目的、技术方案、及优点更加清楚明白, 以下参照附图并举 实施例, 对本发明进一步详细说明。 显然, 所描述的实施例仅仅是本发明一部 分实施例, 而不是全部的实施例。基于本发明中的实施例, 本领域普通技术人 员在没有作出创造性劳动前提下所获得的所有其他实施例,都属于本发明保护 的范围。  The present invention will be further described in detail below with reference to the accompanying drawings. It is apparent that the described embodiments are only a part of the embodiments of the invention, and not all of the embodiments. All other embodiments obtained by a person of ordinary skill in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
参见图 1及图 2,本发明提供了一种组播密钥的安全分发方法,该方法包括 以下步骤: 1 )光网络单元 ONU与光线路终端 OLT建立单播密钥 USK; 在本发明的较 佳实施例中,双方均根据单播密钥 USK导出密钥加密密钥 KEK和完整性校验密 钥 MAK; Referring to FIG. 1 and FIG. 2, the present invention provides a method for securely distributing a multicast key, the method comprising the following steps: 1) The optical network unit ONU establishes a unicast key USK with the optical line terminal OLT; in a preferred embodiment of the invention, both parties derive a key encryption key KEK and an integrity check key according to the unicast key USK MAK;
2 )光网络单元 ONU向光线路终端 OLT发送组播密钥请求分组, 该分组包 括: 组播业务标识列表信息 ListMSID字段以及光网络单元 ONU的随机数 N0NU字 段; 2) The optical network unit ONU sends a multicast key request packet to the optical line terminal OLT, where the packet includes: a multicast service identifier list information List MSID field and a random number N 0NU field of the optical network unit ONU;
其中:  among them:
光网络单元 ONU的随机数 N0NU字段: 用于标识组播密钥请求分组的新鲜 性; The random number of the optical network unit ONU N 0NU field: used to identify the freshness of the multicast key request packet;
组播业务标识列表信息 ListMSID字段: 包含一个或多个组播业务标识Multicast service identification list information List MSID field: Contains one or more multicast service identifiers
MSID , 是光网络单元 ONU请求分发的组播密钥对应的组播业务标识 MSID列 表; 具体实施时, 所述组播业务标识 MSID可以是组播逻辑链路标识 LLID。 The MSID is a multicast service identifier MSID list corresponding to the multicast key that the ONU requests to distribute. In the specific implementation, the multicast service identifier MSID may be a multicast logical link identifier LLID.
3 )光线路终端 OLT收到来自光网络单元 ONU的组播密钥请求分组后, 构 建组播密钥通告分组发送给光网络单元 ONU;光线路终端 OLT通过组播密钥通 告分组利用光线路终端 OLT与该光网络单元 ONU之间的单播密钥 USK将组播 业务标识列表信息 ListMSro字段对应的组播通告主密钥列表 ListNMK以通告主密 钥数据列表 ListE(NMK)的形式秘密通告给光网络单元 ONU; 3) After receiving the multicast key request packet from the optical network unit ONU, the optical line terminal OLT constructs a multicast key advertisement packet and sends it to the optical network unit ONU; the optical line terminal OLT advertises the packet using the optical line through the multicast key. The unicast key USK between the terminal OLT and the optical network unit ONU sets the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSro field in the form of an advertisement master key data list List E (NMK ). Secret notification to the optical network unit ONU;
4 )光网络单元 ONU收到来自光线路终端 OLT的组播密钥通告分组后, 解 密或解密并扩展得到组播业务标识列表信息 ListMSro字段中各组播业务标识 MSID对应的组播密钥 MSK。 4) After receiving the multicast key advertisement packet from the optical line terminal OLT, the optical network unit ONU decrypts or decrypts and expands the multicast key corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field. MSK.
若光线路终端 OLT本地策略不需要光网络单元 ONU反馈组播密钥确认分 组(如图 1 ), 则步骤 3 )具体处理过程如下:  If the optical line terminal OLT local policy does not require the optical network unit ONU to feed back the multicast key confirmation packet (see Figure 1), the specific processing procedure of step 3) is as follows:
3.1 )光线路终端 OLT本地查找组播业务标识列表信息 ListMSro字段中各组 播业务标识 MSID对应的组播通告主密钥 NMK, 构造组播通告主密钥列表 ListNMK; 如本地没有 ListMSID字段中某一个组播业务标识 MSID对应的组播通告 主密钥 NMK, 则生成一随机数作为该组播业务标识 MSID对应的组播通告主密 钥 NMK, 并本地保存该组播通告主密钥 NMK; 3.2 )光线路终端 OLT利用与该光网络单元 ONU之间的单播密钥 USK (在 本发明的较佳实施例中 ,光线路终端 OLT利用根据单播密钥 USK导出的密钥加 密密钥 KEK )对组播业务标识列表信息 ListMSID字段对应的组播通告主密钥列 表 ListNMK进行加密得到通告主密钥数据列表 ListE(NMK); 3.1) The optical line terminal OLT locally searches for the multicast service identifier list information. The multicast advertisement master key NMK corresponding to each multicast service identifier MSID in the MSro field, constructs a multicast advertisement master key list ListNMK; if there is no List MSID field locally A multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier is generated as a multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and the multicast advertisement master key is locally saved. NMK; 3.2) The optical line termination OLT utilizes a unicast key USK with the optical network unit ONU (in a preferred embodiment of the invention, the optical line termination OLT utilizes a key encryption key derived from the unicast key USK) KEK) encrypting the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSID field to obtain an advertisement master key data list List E(N MK);
3.3 )光线路终端 OLT构造组播密钥通告分组, 该分组包含组播业务标识 列表信息 ListMSro字段、 光网络单元 ONU的随机数 N0NU字段、 通告主密钥数据 列表 ListE(NMK)、 以及完整性校验 MIC1字段; 其中 MIC1字段是光线路终端 OLT 利用与该光网络单元 ONU之间的单播密钥 USK (在本发明的较佳实施例中, 光线路终端 OLT利用根据单播密钥 USK导出的完整性校验密钥 MAK )对该组 播密钥通告分组中除 MIC1字段外所有字段计算得到的杂凑值; 3.3) an OLT configured multicast key announcement packet, the packet comprising a multicast service identifier list List MSro information field, the optical network unit ONU N 0NU random number field, a data announcement master key list List E (NMK), And an integrity check MIC1 field; wherein the MIC1 field is a unicast key USK between the optical line terminal OLT and the optical network unit ONU (in a preferred embodiment of the invention, the optical line terminal OLT utilizes according to unicast The integrity check key MAK derived by the key USK) the hash value calculated by all the fields except the MIC1 field in the multicast key advertisement packet;
3.4 )光线路终端 OLT将构造好的组播密钥通告分组发送给该光网络单元 ONU;  3.4) Optical line terminal The OLT sends the constructed multicast key advertisement packet to the optical network unit ONU;
若光线路终端 OLT本地策略需要光网络单元 ONU反馈组播密钥确认分组 (如图 2 ), 则步骤 3 )具体处理过程如下:  If the optical line terminal OLT local policy requires the optical network unit ONU to feed back the multicast key confirmation packet (as shown in Figure 2), the specific processing procedure in step 3) is as follows:
3.1 )光线路终端 OLT本地查找组播业务标识列表信息 ListMSID字段中各组 播业务标识 MSID对应的组播通告主密钥 NMK, 构造组播通告主密钥列表 ListNMK; 如本地没有 ListMSro字段中某一个组播业务标识 MSID对应的组播通告 主密钥 NMK, 则生成一随机数作为该组播业务标识 MSID对应的组播通告主密 钥 NMK, 并本地保存该组播通告主密钥 NMK; 3.1) The optical line terminal OLT locally searches for the multicast service identification list information in the MSID field. The multicast advertisement master key NMK corresponding to each multicast service identifier MSID constructs a multicast advertisement master key list ListNMK; if there is no List MSro field locally A multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier is generated as a multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and the multicast advertisement master key is locally saved. NMK;
3.2 )光线路终端 OLT利用与该光网络单元 ONU之间的单播密钥 USK (在 本发明的较佳实施例中 ,光线路终端 OLT利用根据单播密钥 USK导出的密钥加 密密钥 KEK )对组播业务标识列表信息 ListMSro字段对应的组播通告主密钥列 表 ListNMK进行加密得到通告主密钥数据列表 ListE(NMK); 3.2) The optical line termination OLT utilizes a unicast key USK with the optical network unit ONU (in a preferred embodiment of the invention, the optical line termination OLT utilizes a key encryption key derived from the unicast key USK) KEK) encrypting the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSro field to obtain an advertisement master key data list List E(N MK);
3.3 )光线路终端 OLT本地生成一随机数作为光线路终端 OLT的随机数 NOLT 字段, 用于标识此次密钥通告的新鲜性;  3.3) Optical line terminal The OLT locally generates a random number as the random number NOLT field of the optical line terminal OLT, which is used to identify the freshness of the key announcement;
3.4 ) 光线路终端 OLT构造组播密钥通告分组, 该分组包含组播业务标识 列表信息 ListMSID字段、 光线路终端 OLT的随机数 NOLT字段、 光网络单元 ONU 的随机数 NONU字段、 通告主密钥数据列表 ListE(NMK)、 以及完整性校验 MIC2字 段; 其中 MIC2字段是光线路终端 OLT利用与该光网络单元 ONU之间的单播密 钥 USK (在本发明的较佳实施例中, MIC1字段是光线路终端 OLT利用根据单 播密钥 USK导出的完整性校验密钥 MAK )对该组播密钥通告分组中除 MIC2字 段外所有字段计算得到的杂凑值; 3.4) The optical line terminal OLT constructs a multicast key advertisement packet, which includes a multicast service identifier list information List MSID field, a random number NOLT field of the optical line terminal OLT, and an optical network unit ONU The random number NONU field, the advertised master key data list List E (NMK ), and the integrity check MIC2 field; wherein the MIC2 field is the unicast key USK between the optical line terminal OLT and the optical network unit ONU ( In a preferred embodiment of the present invention, the MIC1 field is an optical line termination OLT that uses the integrity check key MAK derived from the unicast key USK to calculate all fields except the MIC2 field in the multicast key advertisement packet. The resulting hash value;
3.5 ) 光线路终端 OLT将构造好的组播密钥通告分组发送给该光网络单元 ONU。  3.5) Optical line terminal The OLT sends the constructed multicast key announcement packet to the optical network unit ONU.
若光网络单元 ONU在收到组播密钥通告分组后 , 不需要发送组播密钥确 认分组(如图 1 ), 则步骤 4 )具体处理过程如下:  If the optical network unit ONU does not need to send a multicast key confirmation packet after receiving the multicast key advertisement packet (as shown in Figure 1), the specific processing procedure of step 4) is as follows:
4.1 )光网络单元 ONU提取组播密钥通告分组中的 N0NU字段以及组播业务 标识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥请求分组 中的对应字段是否一致, 若一致; 则执行步骤 4.2 ); 否则, 丢弃该分组; 4.1) The optical network unit ONU extracts the N 0NU field in the multicast key advertisement packet and the multicast service identifier list information List MSID field, and compares whether the two fields are consistent with corresponding fields in the previously generated multicast key request packet. If yes, go to step 4.2); otherwise, discard the packet;
4.2 )光网络单元 ONU利用与光线路终端 OLT之间的单播密钥 USK (在本 发明的较佳实施例中, 光网络单元 ONU利用根据单播密钥 USK导出的完整性 校验密钥 MAK )验证收到的组播密钥通告分组中 MIC1字段的正确性,若正确 , 则执行步骤 4.3 ); 否则, 丢弃该分组;  4.2) The optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes an integrity check key derived from the unicast key USK) MAK) Verifies the correctness of the MIC1 field in the received multicast key advertisement packet. If yes, perform step 4.3); otherwise, discard the packet;
4.3 )光网络单元 ONU利用与光线路终端 OLT之间的单播密钥 USK (在本 发明的较佳实施例中, 光网络单元 ONU利用根据单播密钥 USK导出的密钥加 密密钥 KEK )解密通告主密钥数据列表 ListE(NMK) 字段, 即可得到组播业务标 识列表信息 ListMSro字段中各组播业务标识 MSID对应的组播通告主密钥 NMK, 根据系统策略光网络单元 ONU将组播通告主密钥 NMK直接作为组播密钥 MSK或对组播通告主密钥 NMK使用单向 hash算法进行扩展得到组播密钥 MSK。 4.3) The optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes a key encryption key KEK derived from the unicast key USK) Decrypting the advertised master key data list List E (NMK ) field, and then obtaining the multicast advertised master key NMK corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSro field, according to the system policy optical network unit The ONU uses the one-way hash algorithm to directly forward the multicast announcement master key NMK as the multicast key MSK or the multicast advertisement master key NMK to obtain the multicast key MSK.
若光网络单元 ONU在收到组播密钥通告分组后 , 需要发送组播密钥确认 分组(如图 2 ), 则步骤 4 )具体处理过程如下:  If the ONU of the optical network unit needs to send a multicast key to confirm the packet after receiving the multicast key advertisement packet (as shown in Figure 2), the specific processing procedure of step 4) is as follows:
4.1 )光网络单元 ONU提取组播密钥通告分组中的 N0NU字段以及组播业务 标识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥请求分组 中的对应字段是否一致, 若一致; 则执行步骤 4.2 ); 否则, 丢弃该分组;4.1) The optical network unit ONU extracts the N 0NU field in the multicast key advertisement packet and the multicast service identifier list information List MSID field, and compares the two fields with the previously generated multicast key request packet. Whether the corresponding fields in the field are consistent, if they are consistent; then perform step 4.2); otherwise, discard the packet;
4.2 )光网络单元 ONU利用与光线路终端 OLT之间的单播密钥 USK (在本 发明的较佳实施例中, 光网络单元 ONU利用根据单播密钥 USK导出的完整性 校验密钥 MAK )验证收到的组播密钥通告分组中 MIC2字段的正确性,若正确 , 则执行步骤 4.3 ); 否则, 丢弃该分组; 4.2) The optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes an integrity check key derived from the unicast key USK) MAK) verifying the correctness of the MIC2 field in the received multicast key advertisement packet, if yes, performing step 4.3); otherwise, discarding the packet;
4.3 )光网络单元 ONU利用与光线路终端 OLT之间的单播密钥 USK (在本 发明的较佳实施例中, 光网络单元 ONU利用根据单播密钥 USK导出的密钥加 密密钥 KEK )解密通告主密钥数据列表 ListE(NMK) 字段, 即可得到组播业务标 识列表信息 ListMSID字段中各组播业务标识 MSID对应的组播通告主密钥 NMK, 根据系统策略光网络单元 ONU将组播通告主密钥 NMK直接作为组播密钥 MSK或对组播通告主密钥 NMK使用单向 hash算法进行扩展得到组播密钥 MSK。 4.3) The optical network unit ONU utilizes a unicast key USK with the optical line terminal OLT (in a preferred embodiment of the invention, the optical network unit ONU utilizes a key encryption key KEK derived from the unicast key USK) Decrypting the advertised master key data list List E (NMK ) field, and then obtaining the multicast advertised master key NMK corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSID field, according to the system policy optical network unit The ONU uses the one-way hash algorithm to directly forward the multicast announcement master key NMK as the multicast key MSK or the multicast advertisement master key NMK to obtain the multicast key MSK.
若光网络单元 ONU在收到组播密钥通告分组后 , 需要发送组播密钥确认 分组, 上述步骤 4 )之后还包括步骤 5 )及 6 ):  If the optical network unit ONU receives the multicast key advertisement packet, it needs to send a multicast key confirmation packet. Step 4) further includes steps 5) and 6):
5 )光网络单元 ONU发送组播密钥确认分组给光线路终端 OLT。 步骤 5 )具 体处理过程如下:  5) Optical network unit The ONU sends a multicast key confirmation packet to the optical line terminal OLT. Step 5) The specific processing is as follows:
5.1 )光网络单元 ONU构造组播密钥确认分组, 该分组包含组播业务标识 列表信息 ListMSID字段、 光线路终端 OLT的随机数 N0IjT字段以及完整性校验 MIC3字段; 其中 MIC3字段是光网络单元 ONU利用与光线路终端 OLT之间的单 播密钥 USK (在本发明的较佳实施例中, MIC1字段是光线路终端 OLT利用根 据单播密钥 USK导出的完整性校验密钥 MAK )对该组播密钥确认分组中除 MIC3字段外所有字段计算得到的杂凑值; 5.1) The optical network unit ONU constructs a multicast key acknowledgement packet, the packet comprising a multicast service identifier list information List MSID field, a random number N 0IjT field of the optical line terminal OLT, and an integrity check MIC3 field; wherein the MIC3 field is light The network element ONU utilizes a unicast key USK with the optical line termination OLT (in a preferred embodiment of the invention, the MIC1 field is an integrity check key derived by the optical line termination OLT using the unicast key USK) MAK) the hash value calculated in all the fields except the MIC3 field in the multicast key confirmation packet;
5.2 ) 光网络单元 ONU将构造好的组播密钥确认分组发送给光线路终端 OLT。  5.2) Optical network unit The ONU sends the constructed multicast key acknowledgement packet to the optical line terminal OLT.
6 )光线路终端 OLT接收来自光网络单元 ONU的组播密钥确认分组, 确认 光网络单元 ONU收到组播密钥, 完成此次组播密钥的分发过程。 步骤 6 ) 的具 体处理过程如下: 6.1 )光线路终端 OLT提取组播密钥确认分组中的 N0IjT字段以及组播业务标 识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥通告分组中 的对应字段是否一致, 若一致; 则执行步骤 6.2 ); 否则, 丢弃该分组; 6) The optical line terminal OLT receives the multicast key confirmation packet from the optical network unit ONU, and confirms that the optical network unit ONU receives the multicast key, and completes the distribution process of the multicast key. The specific processing of step 6) is as follows: 6.1) The optical line terminal OLT extracts the N 0IjT field in the multicast key acknowledgement packet and the multicast service identifier list information List MSID field, and compares whether the two fields are consistent with corresponding fields in the previously generated multicast key advertisement packet. If yes, go to step 6.2); otherwise, discard the packet;
6.2 )光线路终端 OLT利用与该光网络单元 ONU之间的单播完整性校验密 钥验证收到的组播密钥确认分组中 MIC3字段的正确性, 若正确, 则确认光网 络单元 ONU收到组播密钥, 完成此次组播密钥的安全分发过程; 否则, 丢弃 该分组。  6.2) The optical line terminal OLT verifies the correctness of the MIC3 field in the received multicast key by using the unicast integrity check key with the optical network unit ONU, and if correct, confirms the optical network unit ONU Receive the multicast key and complete the secure distribution process of the multicast key; otherwise, discard the packet.
后续组播业务通信阶段,由光线路终端 OLT发送给该光网络单元 ONU对应 该组播业务标识 MSID的组播消息用建立的组播密钥 MS P密后发送; 各个光 网络单元 ONU收到后, 利用对应建立的组播密钥 MSK解密得到组播消息的明 文信息。  In the subsequent multicast service communication phase, the multicast message sent by the optical line terminal OLT to the optical network unit ONU corresponding to the multicast service identifier MSID is transmitted by using the established multicast key MS P; the optical network unit ONU receives Then, the plaintext information of the multicast message is obtained by using the corresponding established multicast key MSK.
本发明还提供一种与前述组播密钥的安全分发方法相应的组播密钥的安 全分发系统,参见图 3,所述的组播密钥分发系统包括光线路终端 OLT 301以及 光网络单元 ONU 302, 所述光网络单元 ONU 302在与光线路终端 OLT 301建立 单播密钥后, 在需要请求组播密钥时, 发送组播密钥请求分组给光线路终端 OLT 301; 所述光线路终端 OLT 301收到组播密钥请求分组后, 构造组播密钥 通告分组将对应的组播业务通告主密钥 NMK列表以密文形式发送给光网络单 元 ONU 302; 所述光网络单元 ONU 302收到组播密钥通告分组后, 解密或解密 并扩展得到对应的组播业务的组播密钥 MSK; 组播密钥的安全分发系统中光 网络单元 ONU 302可选地构造组播密钥确认分组发送给光线路终端 OLT 301; 所述光线路终端 OLT 301收到组播密钥确认分组后, 确认光网络单元 ONU 302 收到组播密钥 MSK, 完成此次组播密钥的安全分发过程。  The present invention also provides a secure distribution system for a multicast key corresponding to the foregoing method for securely distributing a multicast key. Referring to FIG. 3, the multicast key distribution system includes an optical line terminal OLT 301 and an optical network unit. The ONU 302, after establishing the unicast key with the optical line terminal OLT 301, the optical network unit ONU 302 sends a multicast key request packet to the optical line terminal OLT 301 when the multicast key needs to be requested; After receiving the multicast key request packet, the line terminal OLT 301 constructs the multicast key advertisement packet to send the corresponding multicast service announcement master key NMK list to the optical network unit ONU 302 in cipher text; the optical network unit After receiving the multicast key advertisement packet, the ONU 302 decrypts or decrypts and expands the multicast key MSK of the corresponding multicast service; in the secure distribution system of the multicast key, the optical network unit ONU 302 optionally constructs the multicast The key confirmation packet is sent to the optical line terminal OLT 301; after receiving the multicast key confirmation packet, the optical line terminal OLT 301 confirms that the optical network unit ONU 302 receives the multicast key MSK, and completes the Sowing security key distribution process.
本发明还提供一种与前述组播密钥的安全分发方法相应的光线路终端 OLT, 参见图 4, 所述光线路终端 OLT包含:  The present invention also provides an optical line terminal OLT corresponding to the foregoing method for securely distributing a multicast key. Referring to FIG. 4, the optical line terminal OLT includes:
单播密钥建立模块 401, 用于与光网络单元 ONU建立单播密钥 USK;  The unicast key establishment module 401 is configured to establish a unicast key with the optical network unit ONU, USK;
组播密钥分发模块 402, 用于接收光网络单元 ONU发送的组播密钥请求分 组, 提取组播密钥请求分组中光网络单元 ONU请求的组播密钥对应的组播业 务标识列表信息; 将各组播业务标识对应的组播通告主密钥 NMK使用与光网 络单元 ONU之间的单播密钥进行加密, 构造组播密钥通告分组发送给光网络 单元 ONU; 组播密钥分发模块通过组播密钥通告分组将光网络单元 ONU请求 的组播业务标识列表对应的组播通告主密钥 NMK列表秘密通告给光网络单元 ONU; The multicast key distribution module 402 is configured to receive a multicast key request packet sent by the optical network unit ONU, and extract a multicast industry corresponding to the multicast key requested by the optical network unit ONU in the multicast key request packet. The identifier information of the multicast network is encrypted by using the unicast key between the multicast public key and the ONU of the optical network unit, and the multicast key advertisement packet is sent to the optical network unit ONU; The multicast key distribution module secretly advertises the multicast advertisement master key NMK list corresponding to the multicast service identifier list requested by the optical network unit ONU to the optical network unit ONU through the multicast key advertisement packet;
所述光线路终端 OLT, 还包含组播密钥确认模块 403, 用于接收光网络单 元 ONU发送的组播密钥确认分组, 确认光网络单元 ONU已收到光线路终端 OLT组播密钥分发模块秘密通告的组播通告主密钥 NMK列表;  The optical line terminal OLT further includes a multicast key confirmation module 403, configured to receive the multicast key confirmation packet sent by the optical network unit ONU, and confirm that the optical network unit ONU has received the optical line terminal OLT multicast key distribution. a list of multicast announcement master keys NMK secretly advertised by the module;
本发明还提供一种与前述组播密钥的安全分发方法相应的光网络单元 ONU, 参见图 5, 其特殊之处在于: 所述光网络单元 ONU包含:  The present invention further provides an optical network unit ONU corresponding to the foregoing method for securely distributing a multicast key. Referring to FIG. 5, the special feature is that: the optical network unit ONU includes:
单播密钥建立模块 501, 用于与光线路终端 OLT建立单播密钥 USK;  a unicast key establishment module 501, configured to establish a unicast key with the optical line terminal OLT USK;
组播密钥请求模块 502, 用于发送组播密钥请求分组给光线路终端 OLT; 组播密钥请求模块通过组播密钥请求分组将光网络单元 ONU需要得到的与组 播密钥对应的组播业务标识列表信息告知光线路终端 OLT;  The multicast key requesting module 502 is configured to send a multicast key request packet to the optical line terminal OLT. The multicast key requesting module needs to obtain the multicast key required by the optical network unit ONU through the multicast key request packet. The multicast service identification list information is sent to the optical line terminal OLT;
组播密钥响应模块 503, 用于接收光线路终端 OLT发送的组播密钥通告分 组, 解密得到组播密钥通告分组中秘密通告的组播通告主密钥 NMK列表, 将 各组播通告主密钥 NMK直接作为组播密钥 MSK或对各组播通告主密钥 NMK 使用单向 hash算法进行扩展得到对应的组播密钥 MSK;  The multicast key response module 503 is configured to receive a multicast key advertisement packet sent by the optical line terminal OLT, decrypt the multicast advertisement master key NMK list secretly advertised in the multicast key advertisement packet, and notify each multicast The master key NMK is directly used as a multicast key MSK or a unidirectional hash algorithm for each multicast advertisement master key NMK to obtain a corresponding multicast key MSK;
上述光网络单元的 ONU的组播密钥响应模块 503, 还可以发送组播密钥确 认分组给光线路终端 OLT,告知光线路终端 OLT光网络单元 ONU已收到光线路 终端 OLT秘密通告的组播通告主密钥 NMK列表。  The multicast key response module 503 of the ONU of the optical network unit may further send a multicast key confirmation packet to the optical line terminal OLT, and notify the optical line terminal that the optical network unit ONU has received the group secretly notified by the optical line terminal OLT. Broadcast the master key NMK list.
综上所述, 采用本发明, 可以为 EPON产品所支持的多个组播业务组分配 不同的组播密钥; 确保组播消息下行数据尽管在 EPON中以广播形式传输, 也 只有拥有对应组播密钥 MSK的光网络单元 ONU才能正确接收, 获得组播消息 的明文信息。 本发明充分利用了 EPON上行数据的单向性, 对于组播密钥请求 分组, 不计算完整性校验, 光线路终端 OLT不需要对每一个组播密钥请求验证 完整性校验, 降低密钥分发的计算复杂度。 本发明在组播密钥请求分组、组播 密钥通告分组以及组播密钥通告分组中均携带了随机数,保证了组播密钥分发 过程中消息的新鲜性。 另夕卜, 采用本发明通过列表的形式可以实现在一个过程 中完成光网络单元 ONU向光线路终端 OLT请求获取多个组播业务对应的组播 密钥。 In summary, according to the present invention, different multicast keys can be assigned to multiple multicast service groups supported by the EPON product; ensuring that the downlink data of the multicast message is transmitted in the EPON, and only has the corresponding group. The optical network unit ONU of the broadcast key MSK can receive the correct information and obtain the plaintext information of the multicast message. The invention fully utilizes the unidirectionality of the EPON uplink data. For the multicast key request packet, the integrity check is not calculated, and the optical line terminal OLT does not need to request the verification integrity check for each multicast key, and reduce the density. The computational complexity of key distribution. The invention requests multicast and multicast in multicast key Both the key advertisement packet and the multicast key advertisement packet carry a random number, which ensures the freshness of the message during the multicast key distribution process. In addition, the present invention can be used in the form of a list to complete the optical network unit ONU requesting the optical line terminal OLT to obtain a multicast key corresponding to multiple multicast services in one process.

Claims

权 利 要 求 Rights request
1、 一种组播密钥的安全分发方法, 其特征在于: 该方法包括以下步骤: A method for securely distributing a multicast key, characterized in that: the method comprises the following steps:
1 )光网络单元 ONU与光线路终端 OLT建立单播密钥 USK; 1) The optical network unit ONU establishes a unicast key with the optical line terminal OLT USK;
2 )光网络单元 ONU向光线路终端 OLT发送组播密钥请求分组, 该分组包 括: 组播业务标识列表信息 ListMSID字段以及光网络单元 ONU的随机数 N0NU字 段; 其中, 光网络单元 ONU的随机数 N0NU字段用于标识组播密钥请求分组的 新鲜性; 组播业务标识列表信息 ListMSID字段包含一个或多个组播业务标识 MSID , 是光网络单元 ONU请求分发的组播密钥对应的组播业务标识 MSID列 表; 2) The optical network unit ONU sends a multicast key request packet to the optical line terminal OLT, where the packet includes: a multicast service identifier list information List MSID field and a random number N 0NU field of the optical network unit ONU; wherein, the optical network unit ONU The random number N 0NU field is used to identify the freshness of the multicast key request packet; the multicast service identifier list information List MSID field contains one or more multicast service identifiers MSID, which is the multicast secret that the optical network unit ONU requests to distribute. a list of multicast service identifier MSIDs corresponding to the key;
3 )光线路终端 OLT收到来自光网络单元 ONU的组播密钥请求分组后, 构 建组播密钥通告分组发送给光网络单元 ONU;光线路终端 OLT通过组播密钥通 告分组利用光线路终端 OLT与该光网络单元 ONU之间的单播密钥 USK将组播 业务标识列表信息 ListMSro字段对应的组播通告主密钥列表 ListNMK以通告主密 钥数据列表 ListE(NMK) 的形式秘密通告给光网络单元 ONU; 3) After receiving the multicast key request packet from the optical network unit ONU, the optical line terminal OLT constructs a multicast key advertisement packet and sends it to the optical network unit ONU; the optical line terminal OLT advertises the packet using the optical line through the multicast key. The unicast key USK between the terminal OLT and the optical network unit ONU sets the multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSro field to advertise the master key data list List E(NMK ). Secret notification to the optical network unit ONU;
4 )光网络单元 ONU收到来自光线路终端 OLT的组播密钥通告分组后, 解 密或解密并扩展得到组播业务标识列表信息 ListMSID字段中各组播业务标识 MSID对应的组播密钥 MSK。 4) After receiving the multicast key advertisement packet from the optical line terminal OLT, the optical network unit ONU decrypts or decrypts and expands the multicast key corresponding to each multicast service identifier MSID in the multicast service identifier list information List MSID field. MSK.
2、 根据权利要求 1所述的组播密钥的安全分发方法, 其特征在于: 在步骤 1 ) 中, 光网络单元 ONU与光线路终端 OLT建立单播密钥 USK, 均 根据单播密钥 USK导出密钥加密密钥 KEK和完整性校验密钥 MAK;  The method for securely distributing a multicast key according to claim 1, wherein in step 1), the optical network unit ONU establishes a unicast key USK with the optical line terminal OLT, both according to the unicast key. USK derives the key encryption key KEK and the integrity check key MAK;
步骤 3 )具体处理过程包括:  Step 3) The specific processing process includes:
3.1.1 )光线路终端 OLT本地查找组播业务标识列表信息 ListMSID字段中各组 播业务标识 MSID对应的组播通告主密钥 NMK, 构造组播通告主密钥列表 ListNMK; 如本地没有 ListMSro字段中某一个组播业务标识 MSID对应的组播通告 主密钥 NMK, 则生成一随机数作为该组播业务标识 MSID对应的组播通告主密 钥 NMK, 并本地保存该组播通告主密钥 NMK; 3.1.1) The optical line terminal OLT locally searches for the multicast service identification list information. The multicast advertisement master key NMK corresponding to each multicast service identifier MSID in the MSID field constructs a multicast advertisement master key list ListNMK; The multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier in the MSro field generates a random number as the multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and locally saves the multicast advertisement master. Key NMK;
3.1.2 )光线路终端 OLT利用与该光网络单元 ONU之间的密钥加密密钥 KEK 对组播业务标识列表信息 ListMSID字段对应的组播通告主密钥列表 ListNMK进行 加密得到通告主密钥数据列表 ListE(NMK); 3.1.2) The optical line terminal OLT utilizes a key encryption key KEK with the optical network unit ONU The multicast advertisement master key list ListNMK corresponding to the multicast service identifier list information List MSID field is encrypted to obtain an advertisement master key data list List E(NMK );
3.1.3 )光线路终端 OLT构造组播密钥通告分组, 该分组包含组播业务标识 列表信息 ListMSro字段、 光网络单元 ONU的随机数 N0NU字段、 通告主密钥数据 列表 ListE(NMK)、 以及完整性校验 MIC1字段; 其中 MIC1字段是光线路终端 OLT 利用与该光网络单元 ONU之间的单播完整性校验密钥 MAK对该组播密钥通告 分组中除 MIC 1字段外所有字段计算得到的杂凑值; 3.1.3) The OLT configured multicast key announcement packet, the packet comprising a multicast service identifier list List MSro information field, the optical network unit ONU N 0NU random number field, a data announcement master key list List E (NMK And the integrity check MIC1 field; wherein the MIC1 field is the MIC 1 field in the multicast line advertisement packet of the optical line terminal OLT using the unicast integrity check key MAK between the optical network unit and the ONU The hash value calculated by all fields;
3.1.4 )光线路终端 OLT将构造好的组播密钥通告分组发送给该光网络单元 ONU;  3.1.4) Optical line terminal The OLT sends the constructed multicast key advertisement packet to the optical network unit ONU;
步骤 4 )具体处理过程包括:  Step 4) The specific processing process includes:
4.1.1 )光网络单元 ONU提取组播密钥通告分组中的 N0NU字段以及组播业 务标识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥请求分 组中的对应字段是否一致, 若一致; 则执行步骤 4.1.2 ); 否则, 丢弃该分组;4.1.1) N 0NU field optical network unit ONU extracts the multicast key announcement packet and a multicast service identifier list information ListMSID field, the multicast key comparison of these two fields before the occurrence of the corresponding field of the request packet whether Consistent, if consistent; then perform step 4.1.2); otherwise, discard the packet;
4.1.2 )光网络单元 ONU利用与光线路终端 OLT之间的单播完整性校验密钥 MAK验证收到的组播密钥通告分组中 MIC1字段的正确性, 若正确, 则执行步 骤 4.1.3 ); 否则, 丢弃该分组; 4.1.2) The optical network unit ONU verifies the correctness of the MIC1 field in the received multicast key advertisement packet by using the unicast integrity check key MAK with the optical line terminal OLT. If correct, step 4.1 is performed. .3); otherwise, discard the packet;
4.1.3 ) 光网络单元 ONU利用与光线路终端 OLT之间的密钥加密密钥 KEK 解密通告主密钥数据列表 ListE(NMK)字段, 即可得到组播业务标识列表信息4.1.3) The optical network unit ONU decrypts the advertised master key data list List E(NMK ) field by using the key encryption key KEK with the optical line terminal OLT to obtain the multicast service identification list information.
1^½8113字段中各组播业务标识 MSID对应的组播通告主密钥 NMK,根据系统策 略光网络单元 ONU将组播通告主密钥 NMK直接作为组播密钥 MSK或对组播 通告主密钥 NMK使用单向 hash算法进行扩展得到组播密钥 MSK。 The multicast advertisement master key NMK corresponding to the multicast service identifier MSID in the field of the 1/1⁄2 8113 field directly uses the multicast advertisement master key NMK as the multicast key MSK or the multicast advertisement master according to the system policy optical network unit ONU. The key NMK is extended using a one-way hash algorithm to obtain a multicast key MSK.
3、 根据权利要求 1所述的组播密钥的安全分发方法, 其特征在于: 在步骤 1 ) 中光网络单元 ONU与光线路终端 OLT建立单播密钥 USK均根据 单播密钥 USK导出密钥加密密钥 KEK和完整性校验密钥 MAK;  The method for securely distributing a multicast key according to claim 1, wherein: in step 1), the unicast key USK is established by the optical network unit ONU and the optical line terminal OLT according to the unicast key USK. Key encryption key KEK and integrity check key MAK;
步骤 3 ) 的具体处理过程包括:  The specific processing of step 3) includes:
3.2.1 )光线路终端 OLT本地查找组播业务标识列表信息 ListMSID字段中各组 播业务标识 MSID对应的组播通告主密钥 NMK, 构造组播通告主密钥列表 Lis ; 如本地没有 ListMSID字段中某一个组播业务标识 MSID对应的组播通告 主密钥 NMK, 则生成一随机数作为该组播业务标识 MSID对应的组播通告主密 钥 NMK, 并本地保存该组播通告主密钥 NMK; 3.2.1) The optical line terminal OLT locally searches for the multicast service identifier list information. The multicast advertisement master key NMK corresponding to each multicast service identifier MSID in the MSID field, constructs a multicast advertisement master key list. If there is no multicast advertisement master key NMK corresponding to the MSID of the multicast service identifier in the List MSID field, a random number is generated as the multicast advertisement master key NMK corresponding to the multicast service identifier MSID, and is locally Saving the multicast announcement master key NMK;
3.2.2 )光线路终端 OLT利用与该光网络单元 ONU之间的密钥加密密钥 KEK 对组播业务标识列表信息 ListMSID字段对应的组播通告主密钥列表 ListNMK进行 加密得到通告主密钥数据列表 ListE(NMK); 3.2.2) The optical line terminal OLT encrypts the multicast advertisement master key list ListNMK corresponding to the multicast service identification list information List MSID field by using the key encryption key KEK with the optical network unit ONU to obtain the notification main secret. Key data list List E(NMK );
3.2.3 ) 光线路终端 OLT本地生成一随机数作为光线路终端 OLT的随机数 N0IjT字段, 用于标识此次密钥通告的新鲜性; 3.2.3) The optical line terminal OLT locally generates a random number as a random number N 0IjT field of the optical line terminal OLT, which is used to identify the freshness of the key announcement;
3.2.4 )光线路终端 OLT构造组播密钥通告分组, 该分组包含组播业务标识 列表信息 ListMSID字段、 光线路终端 OLT的随机数 Ν( Τ字段、 光网络单元 ONU 的随机数 N0NU字段、 通告主密钥数据列表 ListE(NMK)、 以及完整性校验 MIC2字 段; 其中 MIC2字段是光线路终端 OLT利用与该光网络单元 ONU之间的单播完 整性校验密钥 MAK对该组播密钥通告分组中除 MIC2字段外所有字段计算得 到的杂凑值; 3.2.4) The optical line terminal OLT constructs a multicast key advertisement packet, which includes a multicast service identifier list information List MSID field, a random number of the optical line terminal OLT ( Τ field, a random number of the optical network unit ONU N 0NU a field, an announcement master key data list List E (NMK ), and an integrity check MIC2 field; wherein the MIC2 field is a unicast integrity check key MAK pair between the optical line terminal OLT and the optical network unit ONU The hash value calculated by all fields except the MIC2 field in the multicast key advertisement packet;
3.2.5 )光线路终端 OLT将构造好的组播密钥通告分组发送给该光网络单元 3.2.5) Optical line terminal The OLT sends the constructed multicast key announcement packet to the optical network unit.
ONU; ONU;
步骤 4 ) 的具体处理过程包括:  The specific processing of step 4) includes:
4.2.1 )光网络单元 ONU提取组播密钥通告分组中的 N0NU字段以及组播业 务标识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥请求分 组中的对应字段是否一致, 若一致; 则执行步骤 4.2.2 ); 否则, 丢弃该分组;4.2.1) The optical network unit ONU extracts the N 0NU field in the multicast key advertisement packet and the multicast service identifier list information List MSID field, and compares the corresponding fields in the two fields with the previously generated multicast key request packet. Whether they are consistent, if they are consistent; then perform step 4.2.2); otherwise, discard the packet;
4.2.2 )光网络单元 ONU利用与光线路终端 OLT之间的单播完整性校验密钥 MAK验证收到的组播密钥通告分组中 MIC2字段的正确性 , 若正确 , 则执行步 骤 4.2.3 ); 否则, 丢弃该分组; 4.2.2) The optical network unit ONU verifies the correctness of the MIC2 field in the received multicast key advertisement packet by using the unicast integrity check key MAK with the optical line terminal OLT. If correct, step 4.2 is performed. .3); otherwise, discard the packet;
4.2.3 ) 光网络单元 ONU利用与光线路终端 OLT之间的密钥加密密钥 KEK 解密通告主密钥数据列表 ListE(NMK) 字段, 即可得到组播业务标识列表信息 1^½8113字段中各组播业务标识 MSID对应的组播通告主密钥 NMK,根据系统策 略光网络单元 ONU将组播通告主密钥 NMK直接作为组播密钥 MSK或对组播 通告主密钥 NMK使用单向 hash算法进行扩展得到组播密钥 MSK。 4.2.3) The optical network unit ONU decrypts the announcement master key data list List E (NMK ) field by using the key encryption key KEK with the optical line terminal OLT, and then obtains the multicast service identification list information 1^1⁄2 8113 The multicast advertisement master key NMK corresponding to each multicast service identifier MSID in the field, according to the system policy optical network unit ONU, directly uses the multicast advertisement master key NMK as the multicast key MSK or the multicast The announcement master key NMK is extended using a one-way hash algorithm to obtain a multicast key MSK.
4、根据权利要求 3所述的组播密钥的安全分发方法, 其特征在于: 步骤 4 ) 后还包括步骤 5 )光网络单元 ONU发送组播密钥确认分组给光线路终端 OLT; 及步骤 6 )光线路终端 OLT接收来自光网络单元 ONU的组播密钥确认分组, 确 认光网络单元 ONU收到组播密钥, 完成此次组播密钥的分发过程; 其中,  The method for securely distributing a multicast key according to claim 3, wherein: step 4) further comprises the step of: 5) the optical network unit ONU transmitting the multicast key confirmation packet to the optical line terminal OLT; and the step 6) The optical line terminal OLT receives the multicast key confirmation packet from the optical network unit ONU, and confirms that the optical network unit ONU receives the multicast key, and completes the distribution process of the multicast key;
步骤 5 ) 包括:  Step 5) includes:
5.1 )光网络单元 ONU构造组播密钥确认分组, 该分组包含组播业务标识 列表信息 ListMSID字段、 光线路终端 OLT的随机数 NOLT字段以及完整性校验 MIC3字段; 其中 MIC3字段是光网络单元 ONU利用与光线路终端 OLT之间的单 播完整性校验密钥 MAK对该组播密钥确认分组中除 MIC3字段外所有字段计 算得到的杂凑值; 5.1) The optical network unit ONU constructs a multicast key acknowledgement packet, the packet comprising a multicast service identifier list information List MSID field, a random number NOLT field of the optical line terminal OLT, and an integrity check MIC3 field; wherein the MIC3 field is an optical network The unit ONU uses the unicast integrity check key MAK with the optical line terminal OLT to confirm the hash value calculated in all the fields except the MIC3 field in the multicast key;
5.2 ) 光网络单元 ONU将构造好的组播密钥确认分组发送给光线路终端 5.2) Optical network unit ONU sends the constructed multicast key acknowledgement packet to the optical line terminal
OLT; OLT;
步骤 6 ) 包括:  Step 6) includes:
6.1 )光线路终端 OLT提取组播密钥确认分组中的 N0IjT字段以及组播业务标 识列表信息 ListMSID字段, 对比这两个字段与之前发生的组播密钥通告分组中 的对应字段是否一致, 若一致; 则执行步骤 6.2 ); 否则, 丢弃该分组; 6.1) The optical line terminal OLT extracts the N 0IjT field in the multicast key acknowledgement packet and the multicast service identifier list information List MSID field, and compares whether the two fields are consistent with corresponding fields in the previously generated multicast key advertisement packet. If yes, go to step 6.2); otherwise, discard the packet;
6.2 )光线路终端 OLT利用与该光网络单元 ONU之间的单播完整性校验密 钥验证收到的组播密钥确认分组中 MIC3字段的正确性, 若正确, 则确认光网 络单元 ONU收到组播密钥, 完成此次组播密钥的安全分发过程; 否则丢弃该 分组。  6.2) The optical line terminal OLT verifies the correctness of the MIC3 field in the received multicast key by using the unicast integrity check key with the optical network unit ONU, and if correct, confirms the optical network unit ONU Receive the multicast key and complete the secure distribution process of the multicast key; otherwise, discard the packet.
5、 一种组播密钥的安全分发系统, 其特征在于: 所述的组播密钥分发系 统包括光线路终端 OLT以及光网络单元 ONU, 所述光网络单元 ONU在与光线 路终端 OLT建立单播密钥后, 在需要请求组播密钥时, 发送组播密钥请求分组 给光线路终端 OLT; 所述光线路终端 OLT收到组播密钥请求分组后, 构造组播 密钥通告分组将对应的组播业务通告主密钥 NMK列表以密文形式发送给光网 络单元 ONU; 所述光网络单元 ONU收到组播密钥通告分组后, 解密或解密并 扩展得到对应的组播业务的组播密钥 MSK。 A security distribution system for a multicast key, characterized in that: the multicast key distribution system includes an optical line terminal OLT and an optical network unit ONU, and the optical network unit ONU is established with an optical line terminal OLT. After the unicast key, when the multicast key needs to be requested, the multicast key request packet is sent to the optical line terminal OLT; after receiving the multicast key request packet, the optical line terminal OLT constructs the multicast key advertisement. The packet sends the corresponding multicast service announcement master key NMK list to the optical network unit ONU in cipher text; after receiving the multicast key advertisement packet, the optical network unit ONU decrypts or decrypts The multicast key MSK of the corresponding multicast service is extended.
6、根据权利要求 5所述的组播密钥的安全分发系统, 其特征在于: 组播密 钥的安全分发系统中光网络单元 ONU构造组播密钥确认分组发送给光线路终 端 OLT; 所述光线路终端 OLT收到组播密钥确认分组后, 确认光网络单元 ONU 收到组播密钥 MSK。  The multicast key security distribution system according to claim 5, wherein: in the secure distribution system of the multicast key, the optical network unit ONU constructs a multicast key confirmation packet and sends the multicast key confirmation packet to the optical line terminal OLT; After receiving the multicast key confirmation packet, the optical line terminal OLT confirms that the optical network unit ONU receives the multicast key MSK.
7、 一种光线路终端 OLT, 其特征在于: 所述光线路终端 OLT包含: 单播密钥建立模块, 用于与光网络单元 ONU建立单播密钥 USK;  An optical line terminal OLT, wherein: the optical line terminal OLT comprises: a unicast key establishment module, configured to establish a unicast key USK with the optical network unit ONU;
组播密钥分发模块, 用于接收光网络单元 ONU发送的组播密钥请求分组, 提取组播密钥请求分组中光网络单元 ONU请求的组播密钥对应的组播业务标 识列表信息; 将各组播业务标识对应的组播通告主密钥 NMK使用与光网络单 元 ONU之间的单播密钥进行加密, 构造组播密钥通告分组发送给光网络单元 ONU; 组播密钥分发模块通过组播密钥通告分组将光网络单元 ONU请求的组 播业务标识列表对应的组播通告主密钥 NMK列表秘密通告给光网络单元 ONU。  a multicast key distribution module, configured to receive a multicast key request packet sent by the optical network unit ONU, and extract the multicast service identifier list information corresponding to the multicast key requested by the optical network unit ONU in the multicast key request packet; The multicast advertisement master key NMK corresponding to each multicast service identifier is encrypted with a unicast key between the optical network unit ONU, and the multicast key advertisement packet is constructed and sent to the optical network unit ONU; The module secretly advertises the multicast advertisement master key NMK list corresponding to the multicast service identifier list requested by the optical network unit ONU to the optical network unit ONU through the multicast key advertisement packet.
8、 根据权利要求 7所述的光线路终端 OLT, 其特征在于: 所述光线路终端 8. The optical line terminal OLT according to claim 7, wherein: said optical line terminal
OLT还包含组播密钥确认模块,用于接收光网络单元 ONU发送的组播密钥确认 分组,确认光网络单元 ONU已收到光线路终端 OLT组播密钥分发模块秘密通告 的组播通告主密钥 NMK列表。 The OLT further includes a multicast key confirmation module, configured to receive the multicast key confirmation packet sent by the optical network unit ONU, and confirm that the optical network unit ONU has received the multicast advertisement that is secretly advertised by the optical line terminal OLT multicast key distribution module. Master key NMK list.
9、 一种光网络单元 ONU, 其特征在于: 所述光网络单元 ONU包含: 单播密钥建立模块, 用于与光线路终端 OLT建立单播密钥 USK;  An optical network unit ONU, wherein: the optical network unit ONU includes: a unicast key establishment module, configured to establish a unicast key USK with the optical line terminal OLT;
组播密钥请求模块, 用于发送组播密钥请求分组给光线路终端 OLT; 组播 密钥请求模块通过组播密钥请求分组将光网络单元 ONU需要得到与组播密钥 对应的组播业务标识列表信息告知光线路终端 OLT;  a multicast key requesting module, configured to send a multicast key request packet to the optical line terminal OLT; the multicast key requesting module requests the optical network unit ONU to obtain a group corresponding to the multicast key by using the multicast key request packet The broadcast service identification list information is sent to the optical line terminal OLT;
组播密钥响应模块, 用于接收光线路终端 OLT发送的组播密钥通告分组, 解密得到组播密钥通告分组中秘密通告的组播通告主密钥 NMK列表, 将各组 播通告主密钥 NMK直接作为组播密钥 MSK或对各组播通告主密钥 NMK使用 单向 hash算法进行扩展得到对应的组播密钥 MSK。 a multicast key response module, configured to receive a multicast key advertisement packet sent by the optical line terminal OLT, and decrypt the multicast advertisement master key NMK list secretly advertised in the multicast key advertisement packet, and notify each multicast advertisement The key NMK is directly used as a multicast key MSK or a unidirectional hash algorithm for each multicast advertisement master key NMK to obtain a corresponding multicast key MSK.
10、 根据权利要求 9所述的光网络单元 ONU, 其特征在于: 所述光网络单 元 ONU的组播密钥响应模块,还发送组播密钥确认分组给光线路终端 OLT,告 知光线路终端 OLT光网络单元 ONU已收到光线路终端 OLT秘密通告的组播通 告主密钥 NMK列表。 The optical network unit ONU according to claim 9, wherein: the multicast key response module of the optical network unit ONU further sends a multicast key confirmation packet to the optical line terminal OLT to notify the optical line terminal. The OLT optical network unit ONU has received a list of multicast announcement master keys NMK secretly advertised by the optical line terminal OLT.
PCT/CN2011/079917 2011-01-20 2011-09-21 Method, system and device for distributing safely a multicast key WO2012097601A1 (en)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN 201110023141 CN102055583B (en) 2011-01-20 2011-01-20 Method, system and equipment for safely distributing multicast key
CN201110023141.1 2011-01-20

Publications (1)

Publication Number Publication Date
WO2012097601A1 true WO2012097601A1 (en) 2012-07-26

Family

ID=43959544

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2011/079917 WO2012097601A1 (en) 2011-01-20 2011-09-21 Method, system and device for distributing safely a multicast key

Country Status (2)

Country Link
CN (1) CN102055583B (en)
WO (1) WO2012097601A1 (en)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102055583B (en) * 2011-01-20 2012-11-14 西安西电捷通无线网络通信股份有限公司 Method, system and equipment for safely distributing multicast key
CN113382320B (en) * 2020-03-10 2022-05-13 中国电信股份有限公司 PON-based adjustment method and system and OLT

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007074168A (en) * 2005-09-05 2007-03-22 Mitsubishi Electric Corp Station-side device, subscriber-side device, communication system, communication method, and program making computer implement same method
CN1953367A (en) * 2005-10-17 2007-04-25 中兴通讯股份有限公司 A method for enciphering control of multicast service in Ethernet passive optical network
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system
CN101808286A (en) * 2010-03-16 2010-08-18 西安西电捷通无线网络通信股份有限公司 Multicast key agreement method and system for clustered system
CN102055583A (en) * 2011-01-20 2011-05-11 西安西电捷通无线网络通信股份有限公司 Method, system and equipment for safely distributing multicast key

Family Cites Families (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101145900A (en) * 2006-09-15 2008-03-19 华为技术有限公司 Multi-cast method and multi-cast system and multi-cast device
CN100596060C (en) * 2006-09-20 2010-03-24 华为技术有限公司 A method, system and device for preventing optical network unit in passive optical network from being counterfeiting

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2007074168A (en) * 2005-09-05 2007-03-22 Mitsubishi Electric Corp Station-side device, subscriber-side device, communication system, communication method, and program making computer implement same method
CN1953367A (en) * 2005-10-17 2007-04-25 中兴通讯股份有限公司 A method for enciphering control of multicast service in Ethernet passive optical network
CN101808286A (en) * 2010-03-16 2010-08-18 西安西电捷通无线网络通信股份有限公司 Multicast key agreement method and system for clustered system
CN101800943A (en) * 2010-03-31 2010-08-11 西安西电捷通无线网络通信股份有限公司 Multicasting key negotiation method and system suitable for group calling system
CN102055583A (en) * 2011-01-20 2011-05-11 西安西电捷通无线网络通信股份有限公司 Method, system and equipment for safely distributing multicast key

Also Published As

Publication number Publication date
CN102055583B (en) 2012-11-14
CN102055583A (en) 2011-05-11

Similar Documents

Publication Publication Date Title
US9838363B2 (en) Authentication and initial key exchange in ethernet passive optical network over coaxial network
US8335316B2 (en) Method and apparatus for data privacy in passive optical networks
CA2662841C (en) Method and system for secure processing of authentication key material in an ad hoc wireless network
WO2011075976A1 (en) Method and system for establishing secure connection between user terminals
JP2010504671A (en) Unicast key management method and multicast key management method in network
CN101102152B (en) Method for guaranteeing data security in passive optical network
JP2010183494A (en) Optical network system, and method of switching encryption key
WO2011143943A1 (en) Method, system and apparatus for establishing end-to-end security connection
JP2007228292A (en) Station side apparatus, subscriber side apparatus, and pon system
WO2011088700A1 (en) Method and device for encrypting multicast service in passive optical network system
KR100737527B1 (en) Method and device for controlling security channel in epon
WO2012097601A1 (en) Method, system and device for distributing safely a multicast key
KR100594023B1 (en) Method of encryption for gigabit ethernet passive optical network
WO2012100552A1 (en) Secure updating method, system and device for multicast key
WO2011134293A1 (en) Method and system for establishing secure connection between local area network nodes
CN101547086A (en) Method, system and device for broadband access network multicast control
WO2011134294A1 (en) Method and system for establishing safety connection between nodes
JP2004260556A (en) Station-side apparatus, subscriber-side apparatus, communication system, and encryption key notifying method
WO2006062345A1 (en) Method of distributing keys over epon
KR20060063271A (en) The key distribution technique of link security on epon
WO2011134291A1 (en) Method, system and apparatus for establishing keys between nodes
JP2015133610A (en) Station side device, pon system and control method of station side device
CN117579182B (en) Service encryption method of passive optical network system, electronic equipment and storage medium
Yin et al. Secure authentication scheme for 10 Gbit/s Ethernet passive optical networks
JP2006245778A (en) Communication apparatus, communication method, and program

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 11855969

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 11855969

Country of ref document: EP

Kind code of ref document: A1