WO2021244489A1 - Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique - Google Patents

Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique Download PDF

Info

Publication number
WO2021244489A1
WO2021244489A1 PCT/CN2021/097388 CN2021097388W WO2021244489A1 WO 2021244489 A1 WO2021244489 A1 WO 2021244489A1 CN 2021097388 W CN2021097388 W CN 2021097388W WO 2021244489 A1 WO2021244489 A1 WO 2021244489A1
Authority
WO
WIPO (PCT)
Prior art keywords
osu
frame
overhead
encryption
data stream
Prior art date
Application number
PCT/CN2021/097388
Other languages
English (en)
Chinese (zh)
Inventor
陈松
张源斌
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2021244489A1 publication Critical patent/WO2021244489A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/16Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/16Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
    • H04J3/1605Fixed allocated frame structures
    • H04J3/1652Optical Transport Network [OTN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/12Applying verification of the received information
    • H04L63/123Applying verification of the received information received data contents, e.g. message integrity
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04QSELECTING
    • H04Q11/00Selecting arrangements for multiplex systems
    • H04Q11/0001Selecting arrangements for multiplex systems using optical switching
    • H04Q11/0062Network aspects
    • H04Q2011/0079Operation or maintenance aspects

Definitions

  • the present disclosure relates to the field of communications, and in particular, to a method and device for transmitting encryption control overhead in an optical transport network.
  • FIG. 1 is a schematic diagram of the implementation of the security management control information channel in the related technology.
  • the security management information channel can be established using the existing ODUk reserved bytes in the OTN frame structure.
  • the existing ODUk reserved bytes in the OTN frame structure are used to establish a security management information channel.
  • the number of ODUk reserved bytes is limited, and the reused part of the existing bytes conflicts in special scenarios, and it is saved by multi-frame transmission.
  • the limited ODUk reserved bytes lead to the problem of inflexibility, and no solution has been proposed yet.
  • the embodiments of the present disclosure provide an encryption control overhead transmission method and device in an optical transport network to at least solve the problem of using the existing ODUk reserved bytes in the OTN frame structure in the related art to establish a security management information channel.
  • the number of ODUk reserved bytes is limited. , The reuse of some existing bytes conflicts in special scenarios, and the limited ODUk reserved bytes are saved through multi-frame transmission, resulting in inflexibility.
  • an encryption control overhead transmission method in an optical transport network including:
  • the data frame is encapsulated into an optical conversion unit OTU frame, and the OTU frame is sent to the sink end.
  • inserting the encryption control overhead into the OSU overhead channel of the OSU data stream every interval M frames includes:
  • An encryption control overhead channel is established in the OSU overhead of every M frame in the OSU data stream, and the encryption control overhead is carried through the encryption control overhead channel to obtain multiple security frame headers SFH, wherein the encryption control
  • the overhead includes a counter, an encryption control word, and the M, and the counter is set to count encryption units during the process of encrypting the OSU payload.
  • the method before mapping the OSU data stream to the PB of the data frame, the method further includes:
  • the integrity of the multiple security frames is checked respectively, and the integrity check field is inserted into the end of the corresponding security frame.
  • encrypting the OSU dead load between the multiple SFHs to obtain multiple secure frame body SFBs includes:
  • the encryption unit of the OSU payload between the multiple SFHs is encrypted by using the target key to obtain the multiple SFBs.
  • the method further includes:
  • the encryption control word is inserted into the SFH of the consecutive W OSU frames from the boundary of the W OSU frames immediately, and the key update operation is initiated at the boundary of the next W frame, where W is greater than 1.
  • the receiving end continuously searches for the encrypted control word from the OSU data stream in a period of W OSU frames at every interval of the M frame according to the MFAS, and compares the encrypted control word with the received encryption Control word, if the comparison result is that the number of times of agreement is greater than W/2, the key switch success message is sent;
  • the updated original key is used for encryption at the boundary of the next W frame according to the key switch success message.
  • mapping the OSU data stream to the PB of the data frame includes:
  • the overhead type of the OSU data stream is set in the PB overhead area of the data frame.
  • an encryption control overhead transmission method in an optical transport network including:
  • the OSU data stream is mapped in the payload block PB of the OTN frame, and the OSU data stream has an OSU of M frames every interval
  • An encryption control overhead is inserted in the overhead channel, customer services are mapped in the OSU data stream, the OSU is composed of N basic blocks, and the N basic blocks include one OSU overhead and N-1 OSU payloads;
  • the method further includes:
  • the multiple security frame body SFBs in the OSU data stream are decrypted to obtain the service
  • the encryption control overhead includes a counter and an encryption control word
  • the M the counter is set to count encryption units in the process of encrypting the OSU payload
  • the multiple security frames are respectively formed by combining multiple SFHs and the SFBs after the multiple SFHs
  • An integrity check field is inserted at the end of the multiple security frames
  • the multiple SFBs are obtained by encrypting the OSU payload between the multiple SFHs
  • the multiple SFHs are the OSU data Obtained after inserting the encryption control overhead into the OSU overhead of every M frame of the stream.
  • the method further includes:
  • the encrypted control word is received simultaneously with the source end, wherein the source end is used to set the boundary of the W OSU frames in the immediate vicinity according to the MFAS Insert the encryption control word into the SFH of W consecutive W OSU frames, and start a key update operation at the boundary of the next W frame, where W is an integer greater than 1;
  • W OSU frames as a period, from the OSU data stream, continuously search for the encrypted control word at every interval of the M frame according to the MFAS, and compare the encrypted control word with the received encrypted control word;
  • a key switch success message is sent to the source end, where the key switch success message is used to instruct the source end to use update at the boundary of the next W frame After the original key is encrypted.
  • an encryption control overhead transmission device in an optical transport network including:
  • the first mapping module is configured to map client services to the OSU data stream of the optical service layer unit, where the OSU is composed of N basic blocks, and the N basic blocks include one OSU overhead and N-1 OSU statics.
  • An insertion module configured to insert the encryption control overhead into the OSU overhead channel of the OSU data stream every interval M frames, where the M is an integer greater than or equal to 1;
  • the second mapping module is configured to map the OSU data stream to the dead load block PB of the dead load area of the OTN frame;
  • the first sending module is configured to encapsulate the data frame into an optical conversion unit OTU frame, and send the OTU frame to the sink.
  • the plug-in module is also set to
  • An encryption control overhead channel is established in the OSU overhead of every M frame in the OSU data stream, and the encryption control overhead is carried through the encryption control overhead channel to obtain multiple security frame headers SFH, wherein the encryption control
  • the overhead includes a counter, an encryption control word, and the M, and the counter is set to count encryption units during the process of encrypting the OSU payload.
  • the device further includes:
  • An encryption module configured to encrypt the OSU dead load between the multiple SFHs to obtain multiple secure frame body SFBs;
  • a combination module configured to combine each of the SFH with the SFB following the SFH to obtain multiple security frames
  • the verification module is configured to verify the integrity of the multiple security frames respectively, and insert an integrity verification field into the end of the corresponding security frame.
  • the encryption module includes:
  • the first encryption submodule is configured to use a combination of the MFAS and the counter to encrypt the original key negotiated with the sink in advance to obtain a target key;
  • the second encryption sub-module is configured to encrypt the encryption unit of the OSU payload between the multiple SFHs by using the target key to obtain the multiple SFBs.
  • the device further includes:
  • a receiving submodule configured to receive the encrypted control word simultaneously with the sink after the preset timer of the original key expires
  • the inserting sub-module is configured to insert the encryption control word into the SFH of W consecutive W OSU frames from the boundary of the W OSU frames immediately following the MFAS, and start the key update operation at the boundary of the next W frame, wherein , W is an integer greater than 1;
  • the comparison sub-module is configured to receive the sink end from the OSU data stream in a period of W OSU frames, continuously search for the encryption control word at every interval of the M frame according to the MFAS, and compare the encryption control Word and received encryption control
  • the third encryption submodule is configured to use the updated original key for encryption at the boundary of the next W frame according to the key switch success message.
  • the second mapping module includes:
  • a mapping sub-module configured to map the OSU data stream to the PB dead load area of the data frame
  • the setting sub-module is set to set the overhead type of the OSU data stream in the PB overhead area of the data frame.
  • an encryption control overhead transmission device in an optical transport network including:
  • the first receiving module is configured to receive the optical conversion unit OTU frame encapsulated by the OTN frame sent by the source end, where the OSU data stream is mapped in the payload block PB of the OTN frame, and the OSU data Encryption control overhead is inserted into the OSU overhead channel of every M frame interval of the stream, and client services are mapped in the OSU data stream.
  • the OSU is composed of N basic blocks, and the N basic blocks include an OSU overhead and N- 1 OSU static load;
  • the obtaining module is configured to obtain the OSU data stream from the OTU frame.
  • the device further includes:
  • the decryption module is configured to decrypt multiple secure frame body SFBs in the OSU data stream according to the multi-frame alignment signal MFAS, counter, encryption control word and the M to obtain the service, wherein the encryption control overhead includes The counter, the encryption control word, and the M, the counter is set to count the encryption unit during the process of encrypting the OSU static load, and the multiple security frames are respectively composed of multiple SFHs and all subsequent SFHs.
  • the SFBs are combined, an integrity check field is inserted at the end of the multiple security frames, the multiple SFBs are obtained by encrypting the OSU dead load between the multiple SFHs, and the multiple SFHs It is obtained after inserting the encryption control overhead into the OSU overhead of every M frame of the OSU data stream.
  • the device further includes:
  • the second receiving module is configured to receive the encrypted control word at the same time as the source end after the preset timer of the original key expires, wherein the source end is configured to receive the encrypted control word in the immediate vicinity according to the MFAS Inserting the encryption control word into the SFH of W consecutive W OSU frames starting from the boundary of the W OSU frames, and starting a key update operation at the boundary of the next W frame, where W is an integer greater than 1;
  • the comparison module is configured to continuously search for the encrypted control word from the OSU data stream at every interval of the M frame according to the MFAS in a period of W OSU frames, and compare the encrypted control word with the received encryption Control word
  • the second sending module is configured to send a key switch success message to the source end if the comparison result is that the number of times of agreement is greater than W/2, wherein the key switch success message is used to indicate that the source end is in the next place.
  • the boundary of the W frame is encrypted using the updated original key.
  • a computer-readable storage medium in which a computer program is stored, wherein the computer program is configured to execute any one of the foregoing method embodiments when running Steps in.
  • an electronic device including a memory and a processor, the memory is stored with a computer program, and the processor is configured to run the computer program to execute any of the above Steps in the method embodiment.
  • the service is mapped to the OSU data stream
  • the encryption control overhead that is, the security management information
  • the security management information is inserted in the OSU overhead area of the OSU data stream, and inserted into the PB divided in the dead load area of the OTN frame, so as not to occupy a limited amount of
  • ODUk reserved bytes it can be solved in related technologies that use existing ODUk reserved bytes in the OTN frame structure to establish a security management information channel.
  • the number of ODUk reserved bytes is limited, and the reuse of some existing bytes conflicts in special scenarios.
  • Figure 1 is a schematic diagram of the realization of a security management control information channel in related technologies
  • FIG. 2 is a block diagram of the hardware structure of a mobile terminal for an encryption control overhead transmission method in an optical transport network according to an embodiment of the present invention
  • Fig. 3 is a first flow chart of encryption control overhead transmission in an optical transport network according to an embodiment of the present invention
  • FIG. 4 is a schematic diagram of the structure of an OSU frame according to an embodiment of the present disclosure.
  • FIG. 5 is a first structural diagram of OSU frame insertion overhead block according to an embodiment of the present disclosure
  • Fig. 6 is a second structural diagram of OSU frame insertion overhead block according to an embodiment of the present disclosure.
  • Fig. 7 is a schematic diagram of mapping an OSU frame into a PB according to an embodiment of the present disclosure
  • FIG. 8 is a schematic diagram of the relationship between the OSU structure and the minimum encryption unit according to an embodiment of the present disclosure
  • Fig. 9 is a schematic diagram of an encrypted control word in an OSU frame according to an embodiment of the present disclosure.
  • Fig. 10 is a second flowchart of encryption control overhead transmission in an optical transport network according to an embodiment of the present invention.
  • FIG. 11 is a first schematic diagram of encryption processing based on an OSU structure according to an embodiment of the present disclosure.
  • Fig. 12 is a second schematic diagram of encryption processing based on the OSU structure according to an embodiment of the present disclosure.
  • FIG. 13 is a first schematic diagram of key switching at the source end according to an embodiment of the present disclosure.
  • FIG. 14 is a first schematic diagram of key switching at the sink according to an embodiment of the present disclosure.
  • FIG. 15 is a third schematic diagram of encryption processing based on the OSU structure according to an embodiment of the present disclosure.
  • FIG. 16 is a fourth schematic diagram of encryption processing based on the OSU structure according to an embodiment of the present disclosure.
  • FIG. 17 is a second schematic diagram of key switching at the source end according to an embodiment of the present disclosure.
  • 19 is a structural block diagram 1 of an encryption control overhead transmission device in an optical transport network according to an embodiment of the present invention.
  • 20 is a second structural block diagram of an encryption control overhead transmission device in an optical transport network according to an embodiment of the present invention.
  • FIG. 2 is a hardware structural block diagram of a mobile terminal for an encryption control overhead transmission method in an optical transport network according to an embodiment of the present invention.
  • the mobile terminal may include one or more (Only one is shown in FIG.
  • a processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA) and a memory 104 configured to store data, wherein the above-mentioned mobile terminal It may also include a transmission device 106 and an input/output device 108 for communication functions.
  • a processing device such as a microprocessor MCU or a programmable logic device FPGA
  • a memory 104 configured to store data
  • the above-mentioned mobile terminal It may also include a transmission device 106 and an input/output device 108 for communication functions.
  • the structure shown in FIG. 2 is only for illustration, and does not limit the structure of the above-mentioned mobile terminal.
  • the mobile terminal may also include more or fewer components than shown in FIG. 2 or have a different configuration from that shown in FIG. 2.
  • the memory 104 may be configured to store computer programs, for example, software programs and modules of application software, such as the computer programs corresponding to the encryption control overhead transmission method in the optical transport network in the embodiment of the present invention, and the processor 102 is stored in the memory 104 by running The computer program to perform various functional applications and data processing, that is, to achieve the above-mentioned methods.
  • the memory 104 may include a high-speed random access memory, and may also include a non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 104 may further include a memory remotely provided with respect to the processor 102, and these remote memories may be connected to the mobile terminal through a network. Examples of the aforementioned networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.
  • the transmission device 106 is configured to receive or transmit data via a network.
  • the above-mentioned specific examples of the network may include a wireless network provided by a communication provider of a mobile terminal.
  • the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station to communicate with the Internet.
  • the transmission device 106 may be a radio frequency (RF) module, and the transmission device 106 is configured to communicate with the Internet in a wireless manner.
  • RF radio frequency
  • FIG. 3 is a first flowchart of encryption control overhead transmission in an optical transport network according to an embodiment of the present invention. As shown in Figure 3, the process includes the following steps:
  • Step S302 Map the customer service to the OSU data stream of the optical service layer unit, where the OSU is composed of N basic blocks, and the N basic blocks include one OSU overhead and N-1 OSU payloads;
  • Step S304 inserting the encryption control overhead into the OSU overhead channel of the OSU data stream every interval M frames, where the M is an integer greater than or equal to 1;
  • step S304 can be specifically implemented in the following manner: an encryption control overhead channel is established in the OSU overhead of every M frame in the OSU data stream, and the encryption control overhead is carried through the encryption control overhead channel, Obtain a plurality of security frame headers SFH, where the encryption control overhead includes a counter, an encryption control word, and the M, and the counter is set to count encryption units during the process of encrypting the OSU payload.
  • Step S306 Map the OSU data stream to the dead load block PB of the dead load area of the OTN frame;
  • step S306 may specifically include:
  • the overhead type of the OSU data stream is set in the PB overhead area of the data frame.
  • Step S308 Encapsulate the data frame into an optical conversion unit OTU frame, and send the OTU frame to the sink.
  • the service is mapped to the OSU data stream, the encryption control overhead, that is, the security management information, is inserted into the OSU overhead area of the OSU data stream, and inserted into the PB divided in the dead load area of the OTN frame.
  • the encryption control overhead that is, the security management information
  • the security management information is inserted into the OSU overhead area of the OSU data stream, and inserted into the PB divided in the dead load area of the OTN frame.
  • FIG 4 is a schematic structural diagram of an OSU frame according to an embodiment of the present disclosure. As shown in Figure 4, the embodiment of the present disclosure maps customer services to the OSU.
  • the OSU is composed of N basic block structures, including two types: overhead and payload , The value of N is different for different services, the first basic block in each OSU is the OSU overhead, and the remaining N-1 basic blocks are the OSU payload.
  • the OSU payload between the multiple SFHs is encrypted to obtain multiple secure frame body SFBs, and further, use
  • the combination of the multi-frame alignment signal MFAS and the counter encrypts the original key negotiated with the sink in advance to obtain the target key; the target key is used to load the OSU between the multiple SFHs
  • the encryption unit performs encryption to obtain the multiple SFBs; respectively combine each of the SFH and the SFB after the SFH to obtain multiple security frames; respectively verify the integrity of the multiple security frames , And insert the integrity check field into the end of the corresponding security frame, and the multi-frame alignment signal MFAS is a basic OSU overhead.
  • the basic block length of OSU is P bytes, and the composition of OSU is N*P bytes.
  • some security management information needs to be added, so a security management information channel needs to be defined; in addition, the integrity of the security frame needs to be verified to generate a complete security frame
  • the sex check value is inserted at the end of the security frame.
  • the encrypted OSU payload part is called SFB
  • the security management information is called SFH (encryption control overhead)
  • the security frame includes two parts, SFH and SFB
  • the security frame integrity check field is called SFC
  • the SFC is inserted after the security frame.
  • the structure after encryption and integrity check is that the head of the security frame is SFH, and the tail of the security frame is SFC. After removing the head and tail, the rest is the encrypted payload area SFB.
  • SFH includes control information transmitted from the encryption end to the decryption end, and other control information associated with secure transmission, while SFC is the integrity check of the secure frame.
  • an encryption channel can be constructed in the OSU data stream, that is, an encryption overhead block can be inserted in the OSU data stream.
  • the encryption control block can be inserted based on a single OSU frame, or it can be inserted based on multiple OSU frames.
  • the SFH is carried in the encryption overhead block.
  • FIG. 5 is a structural diagram 1 of the OSU frame insertion overhead block according to an embodiment of the present disclosure, as shown in FIG. 5. As shown, SFH is inserted once for each OSU frame.
  • FIG. 6 is a second structural diagram of OSU frame insertion overhead block according to an embodiment of the present disclosure. As shown in FIG.
  • N OSU frames are inserted once, and SFC is inserted in one OSU frame or After N OSU frames are encrypted, they are inserted at the end of the encrypted frame.
  • the bandwidth of the encryption control block is the ratio of the length of the encryption control block to the insertion period of the encryption control block.
  • the timer of the original key is preset After expiration, receive the encrypted control word at the same time as the sink; insert the encrypted control word in the SFH of consecutive W OSU frames from the boundary of the adjacent W OSU frames according to the MFAS, and then insert the encrypted control word in the next
  • the key update operation is initiated at the boundary of the W frame, where W is an integer greater than 1;
  • the receiving end continuously searches for the encrypted control word from the OSU data stream in a period of W OSU frames at every interval of the M frame according to the MFAS, and compares the encrypted control word with the received encryption For the control word, if the comparison result is that the number of times of agreement is greater than W/2, a key switch success message is sent; according to the key switch success message, the updated original key is used for encryption at the boundary of the next W frame.
  • FIG. 7 is a schematic diagram of mapping an OSU frame into a PB according to an embodiment of the present disclosure.
  • the payload area of the optical transport network frame is divided into PBs, and the PB includes an overhead area and a payload area.
  • Encryption control block and OSU overhead are two different types of control blocks. In order to identify these two types of control blocks, an indication mark is set in the overhead area of the PB, and the indication mark is used to indicate the type of control block carried in the PB.
  • Fig. 8 is a schematic diagram of the relationship between the OSU structure and the minimum encryption unit according to an embodiment of the present disclosure.
  • the encryption control block in the SFH mainly includes two parts: a counter and an encryption control word. Since the OSU frame is based on N*P bytes, the payload part occupies (N-1)*P bytes, adopts the AES-CTR encryption mode, and the smallest encryption unit is 128 bits (that is, 16 bytes). Each OSU frame contains (P/16)*(N-1) encryption units, and the size of the counter (in bits) is log2((P/16)*(N-1)) rounded off.
  • the value range of the counter is 0 to (P/16)*(N-1)-1, and the smallest encryption unit starts to be encrypted at the frame head position of each OSU frame until the end of the OSU frame.
  • the counter restarts counting at the beginning of the next OSU frame. Therefore, there is no need to transmit the counter value and the MFAS value in the security management channel SFH, only the original key needs to be transmitted in the channel, and the encryption end and the decryption end agree on agreement. No matter if the SFH is inserted once for each OSU frame, or the SFH is inserted once for N OSU frames, since the encryption is for each OSU frame, the processing method is the same.
  • Fig. 9 is a schematic diagram of an encrypted control word in an OSU frame according to an embodiment of the present disclosure.
  • a large number judgment method of M encrypted frames MFAS is used to ensure reliability sex.
  • the encrypting end and the decrypting end receive their respective local encryption control words, and the encrypting end inserts M frames at the specified overhead position in the adjacent M frame boundary according to the local MFAS.
  • the decryption end continuously searches and compares the encryption control word with M frames as the cycle, and finally the decryption end uses the principle of large number judgment to confirm whether the synchronization operation between the decryption end and the encryption end is completed, and realizes CTR, ECB, pass-through and other modes and Lossless switching of encryption and decryption keys.
  • the principle of large number judgment here is based on M frames. As long as the encrypted control word at the sink end and the control word passed from the source end have the same number of times greater than M/2, the synchronization is considered complete.
  • the encryption end must pass the encrypted control word to the decryption end, but also pass the N value, that is, how many frames are inserted into the SFH once, the encrypted control word and the N value are both used as security management information Passed.
  • the encryption terminal inserts M frame encryption control at the designated overhead position based on the MFAS of the first OSU frame of the local integral frame, starting at the immediate M integral frame boundaries.
  • the decryption terminal then continuously searches and compares the encrypted control words with a period of M overall frames. If the encrypted control words are consistent, the mode switching and lossless switching are initiated.
  • FIG. 10 is a second flowchart of encryption control overhead transmission in an optical transport network according to an embodiment of the present invention. As shown in FIG. 10, the process includes the following step:
  • Step S1002 receiving the OTU frame of the optical conversion unit encapsulated by the OTN frame sent by the source end, where the OSU data stream is mapped in the payload block PB of the OTN frame, and the OSU data stream is every M
  • the OSU overhead channel of the frame is inserted with encryption control overhead, the OSU data stream is mapped with client services, the OSU is composed of N basic blocks, and the N basic blocks include one OSU overhead and N-1 OSU statics.
  • Step S1004 Obtain the OSU data stream from the OTU frame.
  • the encryption control overhead includes a counter, an encryption control word, and the M.
  • the counter is set to count encryption units in the process of encrypting the OSU static load, and the multiple The security frames are respectively formed by combining multiple SFHs and the SFBs after the multiple SFHs, an integrity check field is inserted at the end of the multiple security frames, and the multiple SFBs are for the multiple SFHs.
  • the OSU payload in between is obtained by encrypting, and the multiple SFHs are obtained after inserting the encryption control overhead into the OSU overhead of every M frame of the OSU data stream.
  • the encrypted control word is received simultaneously with the source end, wherein the source end is configured to receive the encrypted control word in the immediate vicinity according to the MFAS
  • the encryption control word is inserted into the SFH of W consecutive W OSU frames from the boundary of the W OSU frames, and the key update operation is initiated at the boundary of the next W frame, where W is an integer greater than 1, and W OSU
  • the frame is a period from the OSU data stream, continuously searching for the encrypted control word at every interval of the M frame according to the MFAS, and comparing the encrypted control word with the received encrypted control word;
  • a key switch success message is sent to the source end, where the key switch success message is used to instruct the source end to use update at the boundary of the next W frame After the original key is encrypted.
  • a 100Mbit/s customer service A and a 155.52Mbit/s customer service B are transmitted between the two OTN devices through the optical conversion unit OTU2.
  • the source device encrypts the customer service A and the customer service B, and encrypts the control overhead According to the way of inserting each OSU frame once, the device at the sink end decrypts the encrypted service, and restores the original customer service A and customer service B.
  • the key needs to be updated regularly.
  • the basic block length of OSU is 64 bytes
  • the data frame is composed of ODU2 payload, including 200 PB.
  • the PB occupied by OSU can be calculated Number.
  • OSU#1, which carries customer service A, is composed of 6 64-byte basic blocks
  • OSU#2, which carries customer service B is composed of 10 64-byte basic blocks.
  • FIG. 11 is a schematic diagram 1 of encryption processing based on the OSU structure according to an embodiment of the present disclosure.
  • SFH is inserted once per OSU frame, and then customer service A is 6 basic block insertions.
  • the SFH insertion period is denoted as Ta
  • FIG. 12 is the second schematic diagram of encryption processing based on the OSU structure according to an embodiment of the present disclosure.
  • the customer service B is inserted once for 10 basic blocks, and the SFH insertion period is denoted as Tb.
  • the overhead is sent first and then the data is sent.
  • the source end of the customer service A sends an encryption control overhead SFH once according to the cycle Ta
  • the source end of the customer service B sends an encryption control overhead SFH once according to the cycle Tb.
  • Step 3 After the source end sends the encryption control overhead for customer service A and customer service B according to their respective cycles, then sends the data OSU, which is filled in between the two encryption control overheads, and the payload part of this part is 128bit as an encryption unit Divide and perform encryption processing, and the encrypted data forms the SFB. Finally, the integrity of the safety frame (SFH+SFB) is checked, the integrity check value C is calculated, and the check value is inserted into the back of the safety frame, that is, the SFC.
  • step 4 customer service A and customer service B periodically complete the encryption processing and integrity processing of OSU#1 and OSU#2 according to the processing method in step 3.
  • Step 5 Multiplex OSU#1 and OSU#2 into the PB at the corresponding position in the data frame. After the multiplexing of OSU#1 and OSU#2 is completed, the data frame is encapsulated into OTU2 and sent out.
  • Step 6 After receiving the OTU2 at the sink, it demaps the corresponding OSU#1 and OSU#2 from the PB of the data frame.
  • Step 7 The sink then identifies the data block, IDLE block, basic overhead block and encryption overhead block according to the type identification.
  • Step 8 For the encrypted OSU block, locally calculate a check value D, compare the received integrity check value C with the locally calculated check value D, if the two are different, discard the OSU block; if the two are the same , The original service type A and service type B are decrypted from the OSU block.
  • Step 9 When the key update timer expires, the upper-layer software first sends the encrypted control word to the source device and the sink device at the same time, and then the source device initiates the key update operation.
  • FIG. 13 is a schematic diagram 1 of key switching at the source end according to an embodiment of the present disclosure.
  • the source end device pairs OSU#1 carrying customer service A and OSU#2 carrying customer service B, According to the local MFAS[2:0], start 8 consecutive frames at the next 8-frame boundary and insert 8-frame encryption control words in the designated overhead position SFH. After the 8-frame encryption control words are inserted, the next MFAS[2:0] Start the switching operation at the boundary of 8 frames;
  • Fig. 14 is a schematic diagram 1 of the key switching of the sink end according to the embodiment of the present disclosure.
  • the frame is a period to search for the encrypted control word in the SFH position of the received OSU frame, and compare it with the local encrypted control word. If in a certain 8-frame period comparison, the number of successful encryption control word matching is greater than 4 times, then the synchronization is confirmed to be successful, and the sink will switch the new key at the next 8-frame boundary and report the successful switching event at the same time. If the number of comparison successes is less than 5, then the handover failure event will be reported, and the sink will continue to search and compare the encrypted control words in a cycle of 8 frames later.
  • Two OTN devices transmit a 2.24Mbit/s customer service A and a 49.96Mbit/s customer service B between the two OTN devices through OTU2.
  • the source device encrypts the customer service A and the customer service B, and the encryption control overhead is based on each By inserting two OSU frames once, the device at the sink end decrypts the encrypted service, and restores the original customer service A and customer service B. At the same time, in order to ensure the security of the key, the key needs to be updated regularly.
  • the basic block length of OSU is 64 bytes
  • the data frame is composed of ODU2 payload, including 200 PB.
  • the PB occupied by OSU can be calculated Number.
  • OSU#1, which carries customer service A, is composed of three 64-byte basic blocks
  • OSU#2, which carries customer service B is composed of five 64-byte basic blocks.
  • FIG. 15 is a schematic diagram of the encryption processing based on the OSU structure according to the embodiment of the present disclosure.
  • the SFH is inserted every 2 OSU frames.
  • the customer service A is 6 basic Block is inserted once, and the SFH insertion period is denoted as Ta;
  • Fig. 16 is a schematic diagram of the OSU structure-based encryption processing according to an embodiment of the present disclosure.
  • customer service B is inserted once for 10 basic blocks, and SFH is inserted.
  • the period is denoted as Tb.
  • the overhead is sent first and then the data is sent.
  • the source end of the customer service A sends an encryption control overhead SFH once according to the cycle Ta
  • the source end of the customer service B sends an encryption control overhead SFH once according to the cycle Tb.
  • Step 3 After the source end sends the encryption control overhead for customer service A and customer service B according to their respective cycles, then sends the data OSU, which is filled in between the two encryption control overheads, and the payload part of this part is 128bit as an encryption unit Divide and perform encryption processing, and the encrypted data is composed of SFB. Finally, the integrity of the safety frame (SFH+SFB) is checked, the integrity check value C is calculated, and the check value is inserted into the back of the safety frame, that is, the SFC.
  • step 4 customer service A and customer service B periodically complete the encryption processing and integrity processing of OSU#1 and OSU#2 according to the processing method in step 3.
  • Step 5 Multiplex OSU#1 and OSU#2 into the PB at the corresponding position in the data frame. After the multiplexing of OSU#1 and OSU#2 is completed, the data frame is encapsulated into OTU2 and sent out.
  • Step 6 After receiving the OTU2 at the sink, it demaps the corresponding OSU#1 and OSU#2 from the PB of the data frame.
  • Step 7 The sink then identifies the data block, IDLE block, basic overhead block, and encrypted overhead block according to the location and type identification of the data, overhead.
  • Step 8 For the encrypted OSU block, locally calculate a check value D, compare the received integrity check value C with the locally calculated check value D, if the two are different, discard the OSU block; if the two are the same , The original service type A and service type B are decrypted from the OSU block.
  • Step 9 When the key update timer expires, the upper-layer software first sends the encrypted control word to the source device and the sink device at the same time, and then the source device initiates the key update operation.
  • FIG. 17 is a schematic diagram of the second key switch of the source end according to an embodiment of the present disclosure.
  • the source since the SFH is inserted once every 2 OSU frames, the source also needs to insert the "N value" (that is, how many OSU frames are inserted into the SFH once) in the designated overhead position SFH, and pass this value to the sink .
  • N value that is, how many OSU frames are inserted into the SFH once
  • Fig. 18 is the second schematic diagram of key switching at the sink according to the embodiment of the present disclosure.
  • the sink parses out the content in the SFH and obtains " N value" corresponds to the value of N in this embodiment, and then according to the local MFAS[2:0], starting from the next 4 integral frame boundaries immediately, the interval of the received OSU frame is 4 integral frames.
  • the sink will switch the new key at the boundary of the next 4 overall frames and report at the same time Event of successful switching. If the number of comparisons is less than 2 times, the handover failure event will be reported, and the sink will continue to search and compare the encrypted control words with a cycle of 4 overall frames.
  • the method according to the above embodiment can be implemented by means of software plus the necessary general hardware platform, of course, it can also be implemented by hardware, but in many cases the former is Better implementation.
  • the technical solution of the present invention essentially or the part that contributes to the existing technology can be embodied in the form of a software product, and the computer software product is stored in a storage medium (such as ROM/RAM, magnetic disk, The optical disc) includes several instructions to enable a terminal device (which can be a mobile phone, a computer, a server, or a network device, etc.) to execute the method described in each embodiment of the present invention.
  • an encryption control overhead transmission device in an optical transport network is also provided.
  • the device is configured to implement the above-mentioned embodiments and optional implementation manners, and those that have been described will not be repeated.
  • the term "module" can implement a combination of software and/or hardware with predetermined functions.
  • the devices described in the following embodiments are preferably implemented by software, implementation by hardware or a combination of software and hardware is also possible and conceived.
  • Fig. 19 is a structural block diagram 1 of an encryption control overhead transmission device in an optical transport network according to an embodiment of the present invention. As shown in Fig. 19, the device includes:
  • the first mapping module 192 is configured to map client services to the OSU data stream of the optical service layer unit, where the OSU is composed of N basic blocks, and the N basic blocks include one OSU overhead and N-1 OSUs Static load
  • An inserting module 194, configured to insert the encryption control overhead into the OSU overhead channel of the OSU data stream every interval M frames, where the M is an integer greater than or equal to 1;
  • the second mapping module 196 is configured to map the OSU data stream to the dead load block PB of the dead load area of the OTN frame;
  • the first sending module 198 is configured to encapsulate the data frame into an optical conversion unit OTU frame, and send the OTU frame to the sink.
  • the insertion module 194 is also set to
  • An encryption control overhead channel is established in the OSU overhead of every M frame in the OSU data stream, and the encryption control overhead is carried through the encryption control overhead channel to obtain multiple security frame headers SFH, wherein the encryption control
  • the overhead includes a counter, an encryption control word, and the M, and the counter is set to count encryption units during the process of encrypting the OSU payload.
  • the device further includes:
  • An encryption module configured to encrypt the OSU dead load between the multiple SFHs to obtain multiple secure frame body SFBs;
  • a combination module configured to combine each of the SFH with the SFB following the SFH to obtain multiple security frames
  • the verification module is configured to verify the integrity of the multiple security frames respectively, and insert an integrity verification field into the end of the corresponding security frame.
  • the encryption module includes:
  • the first encryption submodule is configured to use a combination of the multiframe alignment signal MFAS and the counter to encrypt the original key negotiated with the sink in advance to obtain the target key;
  • the second encryption sub-module is configured to encrypt the encryption unit of the OSU payload between the multiple SFHs by using the target key to obtain the multiple SFBs.
  • the device further includes:
  • a receiving submodule configured to receive the encrypted control word simultaneously with the sink after the preset timer of the original key expires
  • the inserting sub-module is configured to insert the encryption control word into the SFH of W consecutive W OSU frames from the boundary of the W OSU frames immediately following the MFAS, and start the key update operation at the boundary of the next W frame, wherein , W is an integer greater than 1;
  • the comparison sub-module is configured to receive the sink end from the OSU data stream in a period of W OSU frames, continuously search for the encryption control word at every interval of the M frame according to the MFAS, and compare the encryption control If the comparison result is greater than W/2, the key switch success message will be sent if the comparison result is greater than W/2.
  • the third encryption submodule is configured to use the updated original key for encryption at the boundary of the next W frame according to the key switch success message.
  • the second mapping module 196 includes:
  • a mapping sub-module configured to map the OSU data stream to the PB dead load area of the data frame
  • the setting sub-module is set to set the overhead type of the OSU data stream in the PB overhead area of the data frame.
  • each of the above-mentioned modules can be implemented by software or hardware.
  • it can be implemented in the following way, but not limited to this: the above-mentioned modules are all located in the same processor; or, the above-mentioned modules are in any combination The forms are located in different processors.
  • an encryption control overhead transmission device in an optical transport network is also provided.
  • the device is configured to implement the above-mentioned embodiments and optional implementation manners, and those that have been described will not be repeated.
  • the term "module" can implement a combination of software and/or hardware with predetermined functions.
  • the devices described in the following embodiments are preferably implemented by software, implementation by hardware or a combination of software and hardware is also possible and conceived.
  • Fig. 20 is a second structural block diagram of an encryption control overhead transmission device in an optical transport network according to an embodiment of the present invention. As shown in Fig. 20, the device includes:
  • the first receiving module 202 is configured to receive the optical conversion unit OTU frame encapsulated by the OTN frame sent by the source end, wherein the OSU data stream is mapped in the payload block PB of the OTN frame, and the OSU An encryption control overhead is inserted into the OSU overhead channel of every M frame of the data stream, the OSU data stream is mapped with client services, the OSU is composed of N basic blocks, and the N basic blocks include an OSU overhead and N -1 OSU static load;
  • the obtaining module 204 is configured to obtain the OSU data stream from the OTU frame.
  • the device further includes:
  • the decryption module is configured to decrypt multiple secure frame body SFBs in the OSU data stream according to the multi-frame alignment signal MFAS, counter, encryption control word and the M to obtain the service, wherein the encryption control overhead includes The counter, the encryption control word, and the M, the counter is set to count the encryption unit during the process of encrypting the OSU static load, and the multiple security frames are respectively composed of multiple SFHs and all subsequent
  • the SFBs are combined, an integrity check field is inserted at the end of the multiple security frames, the multiple SFBs are obtained by encrypting the OSU dead load between the multiple SFHs, and the multiple SFHs It is obtained after inserting the encryption control overhead into the OSU overhead of every M frame of the OSU data stream.
  • the device further includes:
  • the second receiving module is configured to receive the encrypted control word at the same time as the source end after the preset timer of the original key expires, wherein the source end is configured to receive the encrypted control word in the immediate vicinity according to the MFAS Inserting the encryption control word into the SFH of W consecutive W OSU frames starting from the boundary of the W OSU frames, and starting a key update operation at the boundary of the next W frame, where W is an integer greater than 1;
  • the comparison module is configured to continuously search for the encrypted control word from the OSU data stream at every interval of the M frame according to the MFAS in a period of W OSU frames, and compare the encrypted control word with the received encryption Control word
  • the second sending module is configured to send a key switch success message to the source end if the comparison result is that the number of times of agreement is greater than W/2, wherein the key switch success message is used to indicate that the source end is in the next place.
  • the boundary of the W frame is encrypted using the updated original key.
  • each of the above-mentioned modules can be implemented by software or hardware.
  • it can be implemented in the following way, but not limited to this: the above-mentioned modules are all located in the same processor; or, the above-mentioned modules are in any combination The forms are located in different processors.
  • the embodiment of the present invention also provides a computer-readable storage medium in which a computer program is stored, wherein the computer program is configured to execute the steps in any one of the foregoing method embodiments when running.
  • the above-mentioned computer-readable storage medium may include, but is not limited to: U disk, Read-Only Memory (Read-Only Memory, ROM for short), Random Access Memory (Random Access Memory, RAM for short) , Mobile hard drives, magnetic disks or optical discs and other media that can store computer programs.
  • U disk Read-Only Memory
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • Mobile hard drives magnetic disks or optical discs and other media that can store computer programs.
  • An embodiment of the present invention also provides an electronic device including a memory and a processor, the memory stores a computer program, and the processor is configured to run the computer program to execute the steps in any one of the foregoing method embodiments.
  • the aforementioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the aforementioned processor, and the input-output device is connected to the aforementioned processor.
  • modules or steps of the present invention can be implemented by a general computing device, and they can be concentrated on a single computing device or distributed in a network composed of multiple computing devices. Above, they can be implemented with program codes executable by a computing device, so that they can be stored in a storage device for execution by the computing device, and in some cases, they can be executed in a different order than shown here. Or the described steps, or fabricate them into individual integrated circuit modules respectively, or fabricate multiple modules or steps of them into a single integrated circuit module to achieve. In this way, the present invention is not limited to any specific combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

La présente divulgation concerne un procédé et un appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique (OTN). Le procédé fait appel aux étapes suivantes : la mise en correspondance d'un service dans un flux de données d'unité de service optique (OSU), une OSU étant composée de N blocs de base, et les N blocs de base comprenant un surdébit d'OSU et N -1 charges utiles d'OSU ; l'insertion d'un surdébit de contrôle de chiffrement dans un canal de surdébit OSU toutes les M trames de flux de données OSU, M étant un nombre entier supérieur ou égal à 1 ; la mise en correspondance du flux de données d'OSU dans un bloc de charge utile (PB) d'une zone de charge utile d'une trame OTN ; et l'encapsulation de la trame de données dans une trame d'unité de transformée optique (OTU), et l'envoi de la trame OTU à un récepteur. Le problème dans l'état de la technique associé selon lequel l'utilisation d'octets réservés ODUk existants dans des structures de trame OTN pour établir des canaux d'informations de gestion de sécurité peut conduire à ce que le nombre d'octets réservés ODUk soit limité, et certains octets existants réutilisés entrent en conflit dans des scénarios spéciaux et le procédé d'économie d'octets réservés ODUk limités au moyen d'une transmission multi-trame n'est pas flexible peut être résolu, et une commande flexible des informations de gestion de sécurité est obtenue.
PCT/CN2021/097388 2020-06-03 2021-05-31 Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique WO2021244489A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202010496150.1 2020-06-03
CN202010496150.1A CN113765853A (zh) 2020-06-03 2020-06-03 光传送网中加密控制开销传输方法及装置

Publications (1)

Publication Number Publication Date
WO2021244489A1 true WO2021244489A1 (fr) 2021-12-09

Family

ID=78783410

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2021/097388 WO2021244489A1 (fr) 2020-06-03 2021-05-31 Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique

Country Status (2)

Country Link
CN (1) CN113765853A (fr)
WO (1) WO2021244489A1 (fr)

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN114245241A (zh) * 2021-12-22 2022-03-25 烽火通信科技股份有限公司 一种延时自适应的bmp映射实现方法及系统
EP4027650A4 (fr) * 2019-09-30 2022-11-16 Huawei Technologies Co., Ltd. Procédé et dispositif de traitement de données de service dans un réseau de transport optique, et système associé
CN117040846A (zh) * 2023-08-10 2023-11-10 广东九博科技股份有限公司 一种接入型otn设备及其数据传输加密和解密方法
WO2024002084A1 (fr) * 2022-06-29 2024-01-04 华为技术有限公司 Procédé de vérification de trame de données et dispositif associé

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN116488768A (zh) * 2022-01-14 2023-07-25 华为技术有限公司 开销信息传输方法、通信装置和系统

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161416A (zh) * 2015-05-20 2016-11-23 中兴通讯股份有限公司 一种实现数据传输的方法及光通道传输设备
CN107800502A (zh) * 2016-08-31 2018-03-13 深圳市中兴微电子技术有限公司 加解密模式间切换的方法及装置
US20180295103A1 (en) * 2017-04-07 2018-10-11 Fujitsu Limited Use of optical transport network overhead data for encryption
US20190199449A1 (en) * 2017-12-21 2019-06-27 Cisco Technology, Inc. Security over optical transport network beyond 100g

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106161416A (zh) * 2015-05-20 2016-11-23 中兴通讯股份有限公司 一种实现数据传输的方法及光通道传输设备
CN107800502A (zh) * 2016-08-31 2018-03-13 深圳市中兴微电子技术有限公司 加解密模式间切换的方法及装置
US20180295103A1 (en) * 2017-04-07 2018-10-11 Fujitsu Limited Use of optical transport network overhead data for encryption
US20190199449A1 (en) * 2017-12-21 2019-06-27 Cisco Technology, Inc. Security over optical transport network beyond 100g

Cited By (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP4027650A4 (fr) * 2019-09-30 2022-11-16 Huawei Technologies Co., Ltd. Procédé et dispositif de traitement de données de service dans un réseau de transport optique, et système associé
CN114245241A (zh) * 2021-12-22 2022-03-25 烽火通信科技股份有限公司 一种延时自适应的bmp映射实现方法及系统
CN114245241B (zh) * 2021-12-22 2023-11-03 烽火通信科技股份有限公司 一种延时自适应的bmp映射实现方法及系统
WO2024002084A1 (fr) * 2022-06-29 2024-01-04 华为技术有限公司 Procédé de vérification de trame de données et dispositif associé
CN117040846A (zh) * 2023-08-10 2023-11-10 广东九博科技股份有限公司 一种接入型otn设备及其数据传输加密和解密方法

Also Published As

Publication number Publication date
CN113765853A (zh) 2021-12-07

Similar Documents

Publication Publication Date Title
WO2021244489A1 (fr) Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique
RU2341028C2 (ru) Эффективная передача криптографической информации в протоколе безопасности реального времени
RU2728893C1 (ru) Способ реализации безопасности, устройство и система
EP1284582B1 (fr) Procédé de production de clés de sécurité dans un réseau de communication sans fil
CN111372056A (zh) 一种视频数据加密、解密处理方法及装置
US20220417015A1 (en) Key update method and related apparatus
CN110945890B (zh) 使用单独的计数为多个nas连接提供安全性的方法以及相关的网络节点和无线终端
US10419212B2 (en) Methods, systems, apparatuses, and devices for securing network communications using multiple security protocols
CN111050321A (zh) 一种数据处理方法、装置及存储介质
CN113632419A (zh) 用于对要在总线系统(bu)、特别是机动车辆的总线系统中传输的至少一个数据分组进行生成和认证检查的装置和方法
CN115549895A (zh) 加密传输方法及装置
WO2018040605A1 (fr) Procédé et appareil de traitement de données et support de stockage informatique
CN112134831B (zh) 接入请求的发送、处理方法及装置
CN111835691B (zh) 一种认证信息处理方法、终端和网络设备
US11019042B1 (en) Data assisted key switching in hybrid cryptography
CN114826748B (zh) 基于rtp、udp及ip协议的音视频流数据加密方法和装置
CN107888611B (zh) 通信方法和装置
CN115967790A (zh) 监控系统及监控数据加密传输方法
US11700243B2 (en) Method and system for asynchronous side channel cipher renegotiation
CN110875902A (zh) 通信方法、装置及系统
CN110536287B (zh) 一种前向安全实现方法及装置
CN109150867B (zh) 网络信息传输加/解密器及加/解密方法
CN114423001A (zh) 解密方法、服务器及存储介质
CN114244506B (zh) 一种量子密钥的快速同步的方法及系统
CN113098688B (zh) 一种aka方法及装置

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21817148

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 06/04/2023)

122 Ep: pct application non-entry in european phase

Ref document number: 21817148

Country of ref document: EP

Kind code of ref document: A1