WO2022062948A1 - 一种无源光网络中的安全通信方法和装置 - Google Patents
一种无源光网络中的安全通信方法和装置 Download PDFInfo
- Publication number
- WO2022062948A1 WO2022062948A1 PCT/CN2021/118085 CN2021118085W WO2022062948A1 WO 2022062948 A1 WO2022062948 A1 WO 2022062948A1 CN 2021118085 W CN2021118085 W CN 2021118085W WO 2022062948 A1 WO2022062948 A1 WO 2022062948A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- key
- message
- onu
- olt
- algorithm
- Prior art date
Links
- 238000000034 method Methods 0.000 title claims abstract description 77
- 238000004891 communication Methods 0.000 title claims abstract description 34
- 230000003287 optical effect Effects 0.000 title claims description 62
- 238000004422 calculation algorithm Methods 0.000 claims abstract description 98
- 238000012795 verification Methods 0.000 claims abstract description 17
- 230000008859 change Effects 0.000 claims description 4
- 238000012986 modification Methods 0.000 claims description 4
- 230000004048 modification Effects 0.000 claims description 4
- 238000012423 maintenance Methods 0.000 abstract description 4
- 230000002457 bidirectional effect Effects 0.000 abstract description 3
- 238000007726 management method Methods 0.000 description 15
- 230000006870 function Effects 0.000 description 7
- 238000004590 computer program Methods 0.000 description 5
- 238000010586 diagram Methods 0.000 description 5
- 238000004364 calculation method Methods 0.000 description 4
- 238000005516 engineering process Methods 0.000 description 4
- 239000000835 fiber Substances 0.000 description 4
- 239000013307 optical fiber Substances 0.000 description 4
- 230000008569 process Effects 0.000 description 4
- 230000005540 biological transmission Effects 0.000 description 3
- 238000012545 processing Methods 0.000 description 3
- 239000004065 semiconductor Substances 0.000 description 2
- 238000012546 transfer Methods 0.000 description 2
- 230000009286 beneficial effect Effects 0.000 description 1
- 238000013500 data storage Methods 0.000 description 1
- 230000010354 integration Effects 0.000 description 1
- 239000007788 liquid Substances 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 239000007787 solid Substances 0.000 description 1
- 230000003068 static effect Effects 0.000 description 1
- 238000011144 upstream manufacturing Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/27—Arrangements for networking
- H04B10/272—Star-type networks or tree-type networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
- H04L9/3268—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements using certificate validation, registration, distribution or revocation, e.g. certificate revocation list [CRL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/27—Arrangements for networking
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04B—TRANSMISSION
- H04B10/00—Transmission systems employing electromagnetic waves other than radio-waves, e.g. infrared, visible or ultraviolet light, or employing corpuscular radiation, e.g. quantum communication
- H04B10/80—Optical aspects relating to the use of optical transmission for specific applications, not provided for in groups H04B10/03 - H04B10/70, e.g. optical power feeding or optical transmission through water
- H04B10/85—Protection from unauthorised access, e.g. eavesdrop protection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
- H04L63/0435—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/12—Applying verification of the received information
- H04L63/123—Applying verification of the received information received data contents, e.g. message integrity
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/0838—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
- H04L9/0841—Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving Diffie-Hellman or related key agreement protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/08—Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
- H04L9/0816—Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
- H04L9/085—Secret sharing or secret splitting, e.g. threshold schemes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/14—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols using a plurality of keys or algorithms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3247—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/32—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
- H04L9/3263—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving certificates, e.g. public key certificate [PKC] or attribute certificate [AC]; Public key infrastructure [PKI] arrangements
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L9/00—Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
- H04L9/40—Network security protocols
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04Q—SELECTING
- H04Q11/00—Selecting arrangements for multiplex systems
Definitions
- the present application relates to the field of optical communication, and more particularly, to a secure communication method and device for a passive optical network (Passive Optical Network, PON).
- a passive optical network Passive Optical Network, PON
- Passive Optical Network (PON) technology is a point-to-multipoint fiber access technology.
- a PON system may include an Optical Line Terminal (OLT), an Optical Distribution Network (ODN), and at least one Optical Network Unit (ONU).
- OLT is connected to multiple ONUs through the ODN.
- the OLT needs to perform security authentication on the ONU.
- the more common authentication methods mainly include the authentication based on the serial number (SN) of the ONU, the authentication based on the ONU media access control (Media Access Control, MAC) address, and the authentication based on the password.
- the OLT can authenticate the legitimacy of the ONU.
- SN, password and other information are transmitted in clear text, so there is a risk of leakage; moreover, since these methods are all one-way authentication, the ONU cannot authenticate the OLT; if there is a counterfeit OLT, configure the ONU and control, it will have a significant impact on the end user's business, and there will be huge security risks.
- the present application provides a method for secure communication in a PON system, and a device and system for implementing the method.
- the present application proposes a secure communication method for a PON system.
- the OLT sends a first message to the ONU, where the first message includes a first key algorithm, a certificate of the OLT and a public key of the OLT, and the first key algorithm is a key algorithm supported by both the OLT and the ONU.
- the ONU verifies the certificate of the OLT, and after the verification is passed, the shared key is determined according to the first key algorithm and the public key of the OLT.
- the ONU sends a second message to the OLT, where the second message includes the ONU's certificate and the ONU's public key. After receiving the second message, the OLT verifies the certificate of the ONU.
- the shared key is determined according to the first key algorithm and the ONU's public key; it should be noted that based on the first key algorithm, the ONU determines the shared key.
- the shared key is the same as the shared key determined by the OLT. In turn, the ONU and the OLT can use the shared key to encrypt communication of messages and data of the session or communication.
- the ONU can also authenticate the legality of the OLT, and the two-way authentication between the OLT and the ONU is realized without introducing other devices or entities. It improves the security of the system and reduces the difficulty of operation and maintenance. And after the authentication is completed, a shared key is negotiated, and the communication between the OLT and the ONU is encrypted and protected by the shared key, which strengthens the security protection of data and improves the security level of communication.
- the OLT may obtain the key algorithm supported by the ONU from the ONU. For example, the OLT first sends an authentication request to the ONU, the ONU sends a third message containing the key algorithm supported by the ONU to the OLT, and the OLT then determines the first key algorithm according to the key algorithm supported by the ONU and the key algorithm supported by the OLT .
- This implementation does not need to configure the key algorithm supported by the ONU in the OLT in advance, which reduces the cost of operation and maintenance.
- the first message further includes a key parameter set, and the key parameter set includes one or more key parameters.
- the OLT transmits the key parameters used by it to the ONU through a message, and the ONU and OLT use the same parameters in the process of calculating and generating the key to ensure the consistency of the shared key finally obtained by the ONU and the OLT.
- the OLT uses the random number as the private key of the OLT, and the OLT determines the public key of the OLT according to the first key algorithm, the first key parameter and the private key of the OLT, and the first key
- the key parameter is one or more key parameters in the key parameter set; the ONU uses the random number as the private key of the ONU, and the ONU determines the ONU's public key.
- the ONU determines the shared key according to the first key algorithm, the second key parameter, the public key of the OLT and the private key of the ONU, and the second key parameter is the encryption key.
- the OLT determines the shared key according to the first key algorithm, the second key parameter, the public key of the ONU and the private key of the OLT.
- OLT and ONU use the same key algorithm and key parameters in the calculation process. Both OLT and ONU exchange public information without using a secure channel, and negotiate a key that only each other knows. The whole process does not require the participation of third-party devices or network elements, nor does it need to negotiate and establish a secure channel in advance, which not only improves the security of communication between the OLT and the ONU, but also reduces the difficulty and cost of implementation compared to the existing technology.
- the OLT may also use the private key corresponding to the certificate of the OLT to digitally sign the first message; correspondingly, the ONU uses the private key corresponding to the certificate of the ONU Digitally sign the second message.
- the OLT after receiving the registration message of the ONU, the OLT initiates an authentication request to the ONU.
- the above OLT and ONU security authentication related messages such as the first message, the second message, the third message and the authentication request, pass through an optical network terminal management interface (optical network terminal management). and control interface, OMCI) message transmission.
- OMCI optical network terminal management
- the authentication message and the first message are implemented by an OMCI setting SET message; the second message and the third message are implemented by an OMCI attribute value modification (Attribute Value Change, AVC) message.
- a message type of the OMCI may also be added, corresponding to the first message, the second message, the third message and the authentication request, respectively.
- the present application provides a PON system device.
- the device includes a processor, memory and a transceiver.
- the transceiver is used to send and receive signals and data;
- the memory is used to store program instructions;
- the processor is used to execute the program stored in the memory, when the program is executed, the device executes as in the first aspect The OLT or ONU related method.
- the present application provides a PON security communication system, where the PON system includes the OLT and the ONU as described above.
- the present application provides a computer-readable storage medium, where the computer-readable storage medium stores a computer program, wherein, when the computer program is executed by hardware, some or all of the steps related to the OLT or ONU in the above-mentioned first aspect can be implemented .
- FIG. 1 is a schematic diagram of a PON system architecture provided by an embodiment of the present application.
- FIG. 2 is a schematic diagram of a method for secure communication in a PON system provided by an embodiment of the present application
- FIG. 3 is a schematic diagram of another method for secure communication in a PON system provided by an embodiment of the present application.
- FIG. 4 is a schematic structural diagram of an OLT or ONU device according to an embodiment of the present application.
- next-generation PON NG-PON
- NG-PON1 next-generation PON
- NG-PON2 gigabit-capable PON
- GPON 10 gigabit per second PON (10 gigabit per second PON, XG-PON), symmetric 10 gigabit passive optical network (10-gigabit-capable symmetric passive optical network, XGS-PON), Ethernet PON (Ethernet PON, EPON), 10 gigabit per second EPON (10 gigabit per second EPON, 10G-EPON), next-generation EPON (next-generation EPON, NG-EPON), wavelength division multiplexing (wavelength-division multiplexing, WDM) PON, time-and wavelength-division multiplexing (TWDM) PON, point-to-point (P2P) WDM PON (P2P-WDM PON), asynchronous transfer
- WDM wavelength division multiplexing
- TWDM time-and wavelength-division multiplexing
- TWDM point
- FIG. 1 is a schematic structural diagram of a PON system applicable to various embodiments of the present invention.
- the PON system 100 includes at least one OLT 110 , at least one ODN 120 and multiple ONUs 130 .
- the OLT 110 provides a network-side interface for the PON system 100
- the ONU 130 provides a user-side interface for the PON system 100 and is connected to the ODN 120 .
- the ONU 130 directly provides the user port function, it is called an optical network terminal (Optical Network Terminal, ONT).
- ONT optical Network Terminal
- the ONU 130 mentioned below collectively refers to an ONT that can directly provide a user port function and an ONU that provides a user side interface.
- ODN 120 is a network composed of optical fibers and passive optical splitting devices, used to connect OLT 110 equipment and ONU 130 equipment, and used to distribute or multiplex data signals between OLT 110 and ONU 130.
- the direction from the OLT 110 to the ONU 130 is defined as the downstream direction
- the direction from the ONU 130 to the OLT 110 is defined as the upstream direction.
- the OLT 110 adopts the time division multiplexing (Time Division Multiplexing, TDM) method to broadcast the downstream data to the multiple ONUs 130 managed by the OLT 110, and each ONU 130 only receives the data carrying its own identification;
- Each ONU 130 communicates with the OLT 110 in a time division multiple access (Time Division Multiple Access, TDMA) manner, and each ONU 130 sends uplink data according to the time domain resources allocated by the OLT 110.
- TDM Time Division Multiplexing
- TDMA Time Division Multiple Access
- the downlink optical signal sent by the OLT 110 is a continuous optical signal
- the uplink optical signal sent by the ONU 130 is a burst optical signal.
- the OLT 110 is usually located in a central office (Central Office, CO), can manage at least one ONU 130 uniformly, and transmit data between the ONU 130 and the upper-layer network. Specifically, the OLT 110 can act as a medium between the ONU 130 and the upper-layer network (such as the Internet, a public switched telephone network (PSTN), and forward the data received from the upper-layer network to the ONU 130, And forward the data received from ONU 130 to the upper layer network.
- a central office Central Office, CO
- CO central office
- CO central office
- the OLT 110 can act as a medium between the ONU 130 and the upper-layer network (such as the Internet, a public switched telephone network (PSTN), and forward the data received from the upper-layer network to the ONU 130, And forward the data received from ONU 130 to the upper layer network.
- the upper-layer network such as the Internet, a public switched telephone network (PSTN)
- the specific structural configuration of the OLT 110 may vary depending on the specific type of the PON system 100, for example, in one embodiment, the OLT 110 may include transmitting The transmitter and the receiver, the transmitter is used to send the downlink continuous optical signal to the ONU 130, and the receiver is used to receive the uplink burst optical signal from the ONU 130, wherein the downlink optical signal and the uplink optical signal can be carried out through the ODN 120. transmission, but the embodiment of the present invention is not limited thereto.
- the ONUs 130 may be distributed in user-side locations (such as customer premises).
- the ONU 130 may be a network device for communicating with the OLT 110 and the user, specifically, the ONU 130 may act as an intermediary between the OLT 110 and the user, for example, the ONU 130 may receive data from the OLT 110 Forwarding to the user, and forwarding of data received from the user to the OLT 110.
- the ODN 120 may be a data distribution network, which may include optical fibers, optical couplers, optical splitters, or other devices.
- the optical fiber, optical coupler, optical splitter or other device may be a passive optical device, specifically, the optical fiber, optical coupler, optical splitter or other device may be between the OLT 110 and the ONU 130 devices that do not require power supply when distributing data signals between Specifically, taking an optical splitter (Splitter) as an example, the optical splitter can be connected to the OLT 110 through a trunk fiber, and connected to a plurality of ONUs 130 through a plurality of branch fibers respectively, thereby realizing the OLT 110 and the ONU 130. point-to-multipoint connections.
- splitter optical splitter
- the ODN 120 may further include one or more processing devices, for example, an optical amplifier or a relay device (Relay device).
- the ODN 120 may specifically extend from the OLT 110 to multiple ONUs 130, but may also be configured into any other point-to-multipoint structure, and the embodiment of the present invention is not limited thereto.
- a typical security threat is that an illegal ONU disguises itself as a legal ONU to send and receive data, which occupies a lot of bandwidth, wastes network resources, and prevents normal users from registering; or an illegal ONU disguises itself as a registered ONU. ONU steals important information of users.
- the OLT is an important central office device in the PON system. The control and management of the ONU equipment are all handled by the OLT. If an attacker pretends to be an OLT and controls a large number of ONUs connected to it, it will cause harm to end users. great security threat.
- FIG. 2 is a flowchart of a method for secure communication proposed by the present application.
- the OLT sends a first message to the ONU, which includes the first key algorithm, the certificate of the OLT and the public key of the OLT.
- the first key algorithm may be information preset on the OLT, or may be selected and determined by the OLT according to its own algorithm capability and the ONU's algorithm capability. For example, before executing this step, the OLT first obtains algorithms supported by the ONU, such as one or more algorithms such as a key algorithm, a hash algorithm, and a signature algorithm. The OLT can obtain the algorithms supported by the ONU in various ways, such as preconfiguring the algorithms supported by the ONU on the OLT, or the OLT initiates an authentication request to the ONU before this step, and the ONU sends the algorithms supported by the ONU to the OLT.
- algorithms supported by the ONU such as one or more algorithms such as a key algorithm, a hash algorithm, and a signature algorithm.
- the OLT can obtain the algorithms supported by the ONU in various ways, such as preconfiguring the algorithms supported by the ONU on the OLT, or the OLT initiates an authentication request to the ONU before this step, and the ONU sends the algorithms supported by the ONU to the
- the OLT determines the first key algorithm according to the algorithm supported by itself and the algorithm supported by the ONU, where the first key algorithm is a key algorithm supported by both the OLT and the ONU.
- the OLT can also determine the hash algorithm and signature algorithm supported by both the OLT and the ONU according to the configuration information or the information obtained from the ONU.
- the OLT certificate is a digital certificate that is preset in the OLT device, or that the OLT device applies to the certificate server in advance; the OLT certificate is issued by the certificate server and is used for authentication, digital signature, etc.
- a certificate corresponds to a private key and a public key
- the certificate contains public key information corresponding to the certificate
- the private key of the certificate is stored on the device that holds the certificate.
- the device can use the private key corresponding to the certificate to sign the sent message, and the receiver uses the public key corresponding to the certificate to verify the signature.
- the public key of the OLT is generally obtained by the OLT through a key algorithm calculation. For example, the OLT determines the key parameters (p and g) corresponding to the first key algorithm, and generates a random number Ys_a as the private key of the OLT. Then, the private key Ys_a of the OLT and the key parameters (p and g) are used as input, and the public key Yc_a of the OLT is obtained by calculation according to the first key algorithm. For example, OLT obtains the public key Yc_a by calculating the following formula:
- the public key and private key of the OLT and the public key and private key corresponding to the certificate of the OLT are two sets of keys.
- the OLT may also send one or more of the following information in the first message, such as a set of key parameters used by the OLT, a hash algorithm and a signature algorithm determined by the OLT, and the like.
- the OLT may also use the private key corresponding to the certificate of the OLT to digitally sign the first message, so as to ensure the security and integrity of the first message. It should be noted that the OLT signs the message by using the determined hash algorithm and signature algorithm supported by both the ONU and the OLT.
- the shared key is determined according to the first key algorithm and the public key of the OLT.
- the ONU receives the first message from the OLT, and verifies the validity of the OLT certificate included in the first message.
- the verification content includes whether the OLT certificate has expired, verifies the secondary certificate of the OLT certificate, and verifies whether the OLT certificate has been Revocation, etc. one or more. If the certificate verification of the OLT fails, a failure message is returned to the OLT.
- the ONU first verifies the signature information of the OLT using the public key included in the certificate of the OLT. If the verification of the signature information fails, a failure message is returned to the OLT; if the verification of the signature information succeeds, the validity of the certificate of the OLT is further verified. It should be noted that the ONU may verify the signature information of the OLT according to the preconfigured signature algorithm information or according to the signature algorithm information carried in the first message.
- the ONU After successfully verifying the certificate of the OLT, the ONU determines the shared key according to the first key algorithm and the public key of the OLT. Specifically, the ONU determines the key parameters (p and g) corresponding to the first key algorithm, and generates a random number Ys_b as the ONU's private key. Then take the ONU's private key Ys_b and key parameters (p and g) as input, and obtain the ONU's public key Yc_b according to the first key algorithm; then the ONU uses the key parameter p, the ONU's private key Ys_b, the OLT's public key The key Yc_a is used as input, and the shared key SK is obtained by calculation according to the first key algorithm. For example, ONU obtains Yc_b and SK through the following formulas:
- Yc_b g ⁇ Ys_b mod p;
- the shared key SK is used for encryption and security protection for the communication between the OLT and the ONU. It should be noted that the ONU can determine the key parameters (p and g) corresponding to the first key algorithm in various ways, such as according to preconfigured parameters, or according to the key parameters used by the OLT carried in the first message. gather.
- the ONU sends a second message to the OLT, where the second message includes the certificate of the ONU and the public key of the ONU.
- the certificate of the ONU is a digital certificate that is preset in the ONU device, or that the ONU device applies for from the certificate server in advance; the certificate of the ONU is issued by the certificate server and is used for identity verification and digital signature. Similar to the certificate of the OLT, the certificate of the ONU also corresponds to the private key and the public key, and the private key and public key corresponding to the certificate of the ONU and the private key and public key of the ONU are two sets of keys.
- the ONU may also use the private key corresponding to the certificate of the ONU to digitally sign the second message, so as to ensure the security and integrity of the second message.
- the ONU may further include indication information that the ONU has determined the shared key in the second message.
- the OLT determines the shared key according to the first key algorithm and the public key of the ONU.
- the OLT receives the second message from the ONU, and verifies the validity of the certificate of the ONU contained in the second message.
- the verification content includes whether the certificate of the ONU has expired, verifying the secondary certificate of the certificate of the ONU, and verifying whether the certificate of the ONU has been Revocation, etc. one or more. If the ONU's certificate verification fails, a failure message is returned to the ONU.
- the OLT first verifies the signature information of the ONU using the public key included in the certificate of the ONU. If the verification of the signature information fails, a failure message is returned to the ONU; if the verification of the signature information succeeds, the validity of the certificate of the ONU is further verified.
- the OLT After the OLT verifies the ONU's certificate successfully, it determines the shared key according to the first key algorithm and the ONU's public key. Specifically, the ONU takes the key parameter p, the private key Ys_a of the OLT, and the public key Yc_b of the ONU as input, and obtains the shared key SK by calculating according to the first key algorithm. For example, OLT calculates SK by the following formula:
- the OLT may also send a message to the ONU, and the message name or message content is used to indicate that the OLT has determined the shared key.
- the ONU and the OLT use the shared key to encrypt and decrypt the communication between the two parties.
- the ONU can also authenticate the legality of the OLT, and the bidirectional authentication between the OLT and the ONU is realized without introducing other devices or entities. It improves the security of the system and reduces the difficulty of operation and maintenance. And after the authentication is completed, a shared key is negotiated, and the communication between the OLT and the ONU is encrypted and protected by the shared key, which strengthens the security protection of data and improves the security level of communication.
- FIG. 3 shows an example of implementing the method based on the optical network unit management control interface in the GPON system.
- Optical Network Unit Management and Control Interface (ONU Management and Control Interface, OMCI) is a protocol for information exchange between OLT and ONT defined in the GPON standard. It is used for OLT management of ONT in GPON network, including configuration management, fault management, performance management, and security management.
- the OLT sends a request to start authentication to the ONU.
- the OLT may send the message after receiving the ONU's registration message and completing the ONU's ranging.
- the message can be specifically implemented by the setting SET message of the OMCI protocol, and the SET message carries the OMCI attribute "enable certificate bidirectional authentication".
- the ONU After receiving the authentication request sent by the OLT, the ONU sends an ONU handshake message to the OLT.
- the message can be implemented by modifying the AVC message with the attribute value of OMCI, that is, the AVC message carries the OMCI attribute "ONU handshake"; the ONU handshake specifically includes the algorithms supported by the ONU, such as key algorithm (such as DH), signature algorithm (such as RSA) ), hash algorithms (such as SHA256), etc.
- key algorithm such as DH
- signature algorithm such as RSA
- hash algorithms such as SHA256
- the message corresponds to the message 210 shown in FIG. 2 . Specifically, it can be implemented by the setting SET message of the OMCI protocol.
- the SET message carries the OMCI attributes "OLT handshake", "OLT authentication” and "OLT key exchange".
- the "OLT handshake” includes the first key algorithm determined by the OLT; the "OLT authentication” includes the OLT's certificate; and the “OLT key exchange” includes the OLT's public key.
- step 320 For this step, refer to step 220 shown in FIG. 2, and details are not repeated here.
- the message corresponds to the message 230 shown in FIG. 2 . Specifically, it can be implemented by modifying the AVC message by the attribute value of the OMCI protocol, and the AVC message carries the OMCI attributes "ONU authentication" and "ONU key exchange".
- the "ONU authentication” includes the ONU's certificate
- the "ONU key exchange” includes the ONU's public key.
- step 340 For this step, refer to step 240 shown in FIG. 2, and details are not repeated here.
- step 350 For this step, refer to step 250 shown in FIG. 2, and details are not repeated here.
- the ONT implements the configuration management function of each ME under the control of the OLT. Therefore, an OMCI entity type "authentication security entity" is newly added in this embodiment, and the OMCI message related to authentication and key negotiation in FIG. 3 carries this "authentication security entity" and corresponding OMCI attributes.
- the method flow shown in FIG. 2 can also be implemented by adding an OMCI message type, such as adding “ONU authentication”, “ONU key exchange”, “OLT handshake”, “OLT Authentication” and “OLT key exchange” message types.
- the present application also provides a device 400 .
- the device 400 may specifically be used to implement the functions of the OLT 110 or the ONU 130 in the embodiments of the present application.
- the device includes a processor 401, a memory 402 and a transceiver 403, and the processor 401, the memory 402 and the transceiver 403 are connected to each other by wires.
- the processor 401 may adopt a general-purpose central processing unit (Central Processing Unit, CPU), a microprocessor, an application-specific integrated circuit ASIC, or at least one integrated circuit, for executing a related program, so as to implement the technology provided by the embodiments of the present invention plan.
- the processor can independently have the function of PON-related protocol media access control (MAC), or can realize the PON protocol MAC function through an external chip, so as to realize the communication with the OLT110 and the ONU 103.
- Device 400 may include multiple processors, each of which may include one or more CPUs.
- the processor 401 is specifically responsible for executing the methods related to the OLT 110 or the ONU 130 in this application, and communicates with the OLT 110 or the ONU 130 through the transceiver 403.
- Memory 402 is used to store program instructions and data.
- the memory can be a read only memory (Read Only Memory, ROM), a static storage device, a dynamic storage device, or a random access memory (Random Access Memory, RAM).
- ROM Read Only Memory
- RAM Random Access Memory
- program codes for implementing the technical solutions provided by the embodiments of the present invention are stored in the memory 402 and executed by the processor 401 .
- the memory 402 may also be used to store and record information such as algorithms, parameters, and keys described in the embodiments of the present application.
- the processor 401 may include a memory 402 inside. In another embodiment, processor 401 and memory 402 are two separate structures.
- Transceiver 403 is configured to perform the operations of transmitting and receiving signals or data in the above embodiments.
- Transceiver 803 includes an optical transmitter and/or an optical receiver.
- Optical transmitters can be used to transmit optical signals
- optical receivers can be used to receive optical signals.
- the light transmitter can be realized by a light-emitting device, such as a gas laser, a solid-state laser, a liquid laser, a semiconductor laser, a directly modulated laser, and the like.
- the optical receiver may be implemented by a photodetector, such as a photodetector or a photodiode (eg, an avalanche diode) or the like.
- Transceiver 403 may also include digital-to-analog converters and analog-to-digital converters.
- the transceiver 403 may further include a wavelength division multiplexer for realizing multiplexing and demultiplexing of optical signals of different wavelengths.
- the present invention also provides a PON security communication system, which includes the above-mentioned optical line terminal OLT 110 and one or more optical network units ONU 130.
- the above-mentioned embodiments it may be implemented in whole or in part by software, hardware, firmware or any combination thereof.
- software it can be implemented in whole or in part in the form of a computer program product.
- the computer program product includes one or more computer instructions. When the computer program instructions are loaded and executed on a computer, all or part of the processes or functions described in the embodiments of the present invention are generated.
- the computer may be a general purpose computer, special purpose computer, computer network, or other programmable device.
- the computer instructions may be stored in or transmitted from one computer-readable storage medium to another computer-readable storage medium, for example, the computer instructions may be downloaded from a website site, computer, server, or data center Transmission to another website site, computer, server, or data center is by wire (eg, coaxial cable, fiber optic, digital subscriber line (DSL)) or wireless (eg, infrared, wireless, microwave, etc.).
- the computer-readable storage medium may be any available medium that can be accessed by a computer or a data storage device such as a server, data center, etc. that includes an integration of one or more available media.
- the usable media may be magnetic media (eg, floppy disks, hard disks, magnetic tapes), optical media (eg, DVD), or semiconductor media (eg, Solid State Disk (SSD)), and the like.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computing Systems (AREA)
- Physics & Mathematics (AREA)
- Electromagnetism (AREA)
- Computer Hardware Design (AREA)
- General Engineering & Computer Science (AREA)
- Small-Scale Networks (AREA)
Abstract
一种PON系统的安全通信方法。首先,OLT向ONU发送第一消息,第一消息包括第一密钥算法,OLT的证书和OLT的公钥,该第一密钥算法为OLT和ONU都支持的密钥算法。ONU对OLT的证书进行验证,验证通过后,根据第一密钥算法和OLT的公钥确定共享密钥。之后,ONU向OLT发送第二消息,第二消息包括ONU的证书和ONU的公钥。OLT收到第二消息后,对ONU的证书进行验证,验证通过后,根据第一密钥算法和ONU的公钥确定共享密钥;进而,ONU和OLT可以使用该共享密钥对会话或通信的消息和数据进行加密通信。该方法在不引入其它设备或实体的情况下,实现了OLT和ONU的双向认证,不仅提升了系统的安全性,降低了运维的难度,还加强了对数据的安全性保护,提升了通信的安全等级。
Description
本申请要求于2020年9月22日提交中国国家知识产权局、申请号为202011002853.0、申请名称为“一种无源光网络中的安全通信方法和装置”的中国专利申请的优先权,其全部内容通过引用结合在本申请中。
本申请涉及光通信领域,更具体地,涉及一种无源光网络(Passive Optical Network,PON)的安全通信方法和装置。
无源光网络(Passive Optical Network,PON)技术是一种点到多点的光纤接入技术。PON系统可以包括光线路终端(Optical Line Terminal,OLT)、光分配网络(Optical Distribution Network,ODN)和至少一个光网络单元(Optical Network Unit,ONU)。OLT通过ODN与多个ONU连接。
为了确保通信安全,OLT需要对ONU进行安全认证。目前比较常见的认证方法主要有基于ONU序列号(serial number,SN)的认证,基于ONU媒体接入控制(Media Access Control,MAC)地址的认证,基于口令password的认证等。基于如上这些认证方法,OLT能够认证ONU的合法性。但是,由于如上认证方法中,SN、password等信息都是明文传输的,因此存在泄漏的风险;而且,由于这些方法都是单向认证,ONU无法认证OLT;如果存在仿冒的OLT对ONU进行配置和控制,会对终端用户的业务造成重大影响,存在巨大安全隐患。
因此,亟需一种安全性更高的PON系统安全通信方法。
发明内容
本申请提出一种PON系统安全通信的方法,及实现该方法的装置和系统。
第一方面,本申请提出一种PON系统的安全通信方法。首先,OLT向ONU发送第一消息,第一消息包括第一密钥算法,OLT的证书和OLT的公钥,该第一密钥算法为OLT和ONU都支持的密钥算法。ONU对OLT的证书进行验证,验证通过后,根据第一密钥算法和OLT的公钥确定共享密钥。之后,ONU向OLT发送第二消息,第二消息包括ONU的证书和ONU的公钥。OLT收到第二消息后,对ONU的证书进行验证,验证通过后,根据第一密钥算法和ONU的公钥确定共享密钥;需要说明的是,基于第一密钥算法,ONU所确定的共享密钥和OLT所确定的共享密钥是相同的。进而,ONU和OLT可以使用该共享密钥对会话或通信的消息和数据进行加密通信。
通过第一方面中所述的方法,不仅实现了OLT对ONU的认证,ONU还可以对OLT的合法性进行认证,在不引入其它设备或实体的情况下,实现了OLT和ONU的双向认证,提升了系统的安全性,降低了运维的难度。而且认证完成后,还协商出了共享密钥,OLT和ONU间的通信通过共享密钥进行加密保护,加强了对数据的安全性保护,提升了通信的安全等级。
在第一方面的一种可能的实现方式中,OLT可以从ONU获取ONU支持的密钥算法。如OLT首先向ONU发送认证请求,ONU向OLT发送包含ONU支持的密钥算法的第三消息,OLT进而根 据所述ONU支持的密钥算法和OLT支持的密钥算法,确定第一密钥算法。该实现方式不需要提前在OLT配置ONU支持的密钥算法,降低了运维的成本。
在第一方面的一种可能的实现方式中,第一消息中还包括密钥参数集合,密钥参数集合中包括一个或多个密钥参数。OLT将其使用的密钥参数通过消息传递给ONU,ONU和OLT在计算和生成密钥的过程中,使用相同的参数,保证了ONU和OLT最终计算获得的共享密钥的一致性。
在第一方面的一种可能的实现方式中,OLT将随机数作为OLT的私钥,OLT根据第一密钥算法,第一密钥参数和OLT的私钥确定OLT的公钥,第一密钥参数为密钥参数集合中的一个或多个密钥参数;ONU将随机数作为ONU的私钥,ONU根据第一密钥算法,第一密钥参数和ONU的私钥确定所述ONU的公钥。
在第一方面的一种可能的实现方式中,ONU根据所述第一密钥算法,第二密钥参数,OLT的公钥和ONU的私钥确定共享密钥,第二密钥参数为密钥参数集合中的一个或多个密钥参数;OLT根据第一密钥算法,第二密钥参数,ONU的公钥和OLT的私钥确定共享密钥。
如上所述,OLT和ONU在计算过程中使用相同的密钥算法和密钥参数,OLT和ONU双方不借助安全信道、交换的都是公开信息,协商出了一个只有彼此才知道的密钥。整个过程不需要第三方设备或网元的参与,也不需要提前协商并建立安全通道,不仅提升了OLT和ONU通信的安全性,相比现有技术,还降低了实施的难度和成本。
在第一方面的一种可能的实现方式中,为进一步提升安全性,OLT还可以使用OLT的证书对应的私钥对第一消息进行数字签名;相应的,ONU使用ONU的证书对应的私钥对第二消息进行数字签名。
在第一方面的一种可能的实现方式中,OLT在收到ONU的注册消息后,向所述ONU发起认证请求。
在第一方面的一种可能的实现方式中,如上OLT和ONU安全认证相关的消息,如第一消息,第二消息,第三消息和认证请求通过光网络终端管理控制接口(optical network terminal management and control interface,OMCI)消息传输。例如,认证消息和第一消息通过OMCI设置SET消息实现;第二消息和第三消息通过OMCI属性值修改(Attribute Value Change,AVC)消息实现。又比如,还可以新增OMCI的消息类型,分别对应第一消息,第二消息,第三消息和认证请求。
第二方面,本申请提出一种PON系统设备。该设备包括处理器、存储器和收发器。其中,收发器,用于进行信号和数据的收发;存储器,用于存储程序指令;处理器,用于执行存储器中存储的程序,当所述程序被执行时,该设备执行如第一方面中所述OLT或ONU相关的方法。
第三方面,本申请提供一种PON安全通信系统,该PON系统包括如上方面所述的OLT和ONU。
第四方面,本申请提供了一种计算机可读存储介质,计算机可读存储介质存储有计算机程序,其中,计算机程序被硬件执行时能够实现上述第一方面中OLT或ONU相关的部分或全部步骤。
图1为本申请实施例提供的一种PON系统架构示意图;
图2为本申请实施例提供的一种PON系统安全通信方法示意图;
图3为本申请实施例提供的另一种PON系统安全通信方法示意图;
图4为本申请实施例提供的一种OLT或ONU设备的结构示意图。
下面将结合本申请实施例中的附图,对本申请实施例中的技术方案进行描述。
本申请实施例的技术方案可以应用于各种无源光网络系统,例如,下一代PON(next-generation PON,NG-PON)、NG-PON1、NG-PON2、千兆比特PON(gigabit-capable PON,GPON)、10吉比特每秒PON(10 gigabit per second PON,XG-PON)、对称10吉比特无源光网络(10-gigabit-capable symmetric passive optical network,XGS-PON)、以太网PON(Ethernet PON,EPON)、10吉比特每秒EPON(10gigabit per second EPON,10G-EPON)、下一代EPON(next-generation EPON,NG-EPON)、波分复用(wavelength-division multiplexing,WDM)PON、时分波分堆叠复用(time-and wavelength-division multiplexing,TWDM)PON、点对点(point-to-point,P2P)WDM PON(P2P-WDM PON)、异步传输模式PON(asynchronous transfer mode PON,APON)、宽带PON(broadband PON,BPON),等等,以及25吉比特每秒PON(25gigabit per second PON,25G-PON)、50吉比特每秒PON(50gigabit per second PON,50G-PON)、100吉比特每秒PON(100gigabit per second PON,100G-PON)、25吉比特每秒EPON(25gigabit per second EPON,25G-EPON)、50吉比特每秒EPON(50gigabit per second EPON,50G-EPON)、100吉比特每秒EPON(100 gigabit per second EPON,100G-EPON),以及其他速率的GPON、EPON等。
图1为适用本发明各个实施例的PON系统的架构示意图,如图1所示,PON系统100包括至少一个OLT110、至少一个ODN120和多个ONU130。其中,OLT110为PON系统100提供网络侧接口,ONU130为PON系统100提供用户侧接口,与ODN 120相连。如果ONU 130直接提供用户端口功能,则称为光网络终端(Optical Network Terminal,ONT)。为了便于描述,下文所提到的ONU130统指可以直接提供用户端口功能的ONT和提供用户侧接口的ONU。ODN 120是由光纤和无源分光器件组成的网络,用于连接OLT 110设备和ONU 130设备,用于分发或复用OLT 110和ONU 130之间的数据信号。
在该PON系统100中,从OLT 110到ONU 130的方向定义为下行方向,而从ONU 130到OLT 110的方向定义为上行方向。在下行方向,OLT 110采用时分复用(Time Division Multiplexing,TDM)方式将下行数据广播给该OLT 110管理的多个ONU 130,各个ONU 130只接收携带自身标识的数据;而在上行方向,多个ONU 130采用时分多址(Time Division Multiple Access,TDMA)的方式与OLT 110进行通信,每个ONU 130按照OLT 110为其分配的时域资源发送上行数据。采用上述机制,OLT 110发送的下行光信号为连续光信号,而ONU 130发送的上行光信号为突发光信号。
该OLT 110通常位于中心局(Central Office,CO),可以统一管理至少一个ONU 130,并在ONU 130与上层网络之间传输数据。具体来说,该OLT 110可以充当ONU 130与所述上层网络(比如因特网、公共交换电话网络(Public Switched Telephone Network,PSTN)之间的媒介,将从上层网络接收到的数据转发到ONU 130,以及将从ONU 130接收到的数据转发到该上层网络。该OLT 110的具体结构配置可能会因该PON系统100的具体类型而异,比如,在一种实施例中,该OLT 110可以包括发射机和接收机,该发射机用于向ONU 130发送下行连续光信号,该接收机用于接收来自ONU 130的上行突发光信号,其中该下行光信号和上行光信号可以通过该ODN 120进行传输,但本发明实施例不限于此。
该ONU 130可以分布式地设置在用户侧位置(比如用户驻地)。该ONU 130可以为用于与OLT 110和用户进行通信的网络设备,具体而言,该ONU 130可以充当OLT 110与用户之间的媒介,例如,ONU 130可以将从该OLT 110接收到的数据转发到用户,以及将从该用户接收到的数据转发到OLT 110。
该ODN 120可以是一个数据分发网络,可以包括光纤、光耦合器、分光器或其他设备。在一个实施例中,该光纤、光耦合器、分光器或其他设备可以是无源光器件,具体来说,该光纤、光耦合器、分光器或其他设备可以是在OLT 110和ONU 130之间分发数据信号时不需要电源支持的器件。具体地说,以光分路器(Splitter)为例,该光分路器可以通过主干光纤连接到OLT 110,并分别通过多个分支光纤连接到多个ONU 130,从而实现OLT 110和ONU 130之间的点到多点连接。另外,在其他实施例中,该ODN 120还可以包括一个或多个处理设备,例如,光放大器或者中继设备(Relay device)。另外,ODN 120具体可以从OLT 110延伸到多个ONU 130,但也可以配置成其他任何点到多点的结构,本发明实施例不限于此。
PON系统中,比较典型的安全威胁是不合法的ONU伪装成合法的ONU进行收发数据,大量占用带宽,浪费网络资源,导致正常用户无法注册;或不合法的ONU通过伪装成一个已注册成功的ONU窃取用户的重要信息。除此之外,OLT是PON系统重要的局端设备,ONU设备的控制、管理等操作均由OLT负责,如果攻击者伪装成OLT,对其连接管理的大量ONU进行控制,会对终端用户造成极大的安全威胁。
下面,基于图1所示的PON系统100,结合具体的实施例对本申请提出的安全通信的方法和装置进行介绍。
图2所示,为本申请提出的一种安全通信的方法流程图。
210:OLT向ONU发送第一消息,其中包括第一密钥算法,OLT的证书和OLT的公钥。
第一密钥算法可以是预置在OLT上的信息,也可以是OLT根据自身算法能力和ONU的算法能力选择确定的。如,OLT在执行该步骤之前,首先获取ONU支持的算法,如密钥算法,哈希算法,签名算法等一种或多种算法。OLT可以通过多种方式获取ONU支持的算法,如将ONU支持的算法预配置在OLT上,或OLT在该步骤之前向ONU发起认证请求,ONU将其支持的算法发给OLT。OLT根据自身支持的算法和ONU支持的算法,确定第一密钥算法,该第一密钥算法为OLT和ONU都支持的密钥算法。OLT还可以根据配置信息或从ONU获得的信息,确定OLT和ONU都支持的哈希算法和签名算法等。
OLT证书为预置在OLT设备中,或OLT设备提前到证书服务器申请的数字证书;OLT的证书由证书服务器颁发,用于身份验证、数字签名等。需要说明的是,证书对应私钥和公钥,证书中包含证书对应的公钥信息,证书的私钥在持有证书的设备端保存。设备可以使用证书对应的私钥对发送的消息进行签名,接收端使用证书对应的公钥对签名进行验证。
OLT的公钥一般由OLT通过密钥算法计算获得。如,OLT确定第一密钥算法对应的密钥参数(p和g),并生成一个随机数Ys_a作为OLT的私钥。然后将OLT的私钥Ys_a和密钥参数(p和g)作为输入,根据第一密钥算法计算获得OLT的公钥Yc_a。例如,OLT通过如下公式计算获得公钥Yc_a:
Yc_a=g^Ys_a mod p
需要说明的是,OLT的公钥和私钥,与OLT的证书对应的公钥和私钥是两套密钥。
另外,OLT还可以在第一消息中发送如下信息中的一种或多种,如OLT所使用的密钥参数的集合,OLT确定的哈希算法和签名算法等。为提高安全性,OLT还可以使用OLT的证书所对应的私钥对第一消息进行数字签名,以确保第一消息的安全性和完整性。需要说明的是, OLT使用确定的ONU和OLT都支持的哈希算法和签名算法对消息进行签名。
220:ONU对OLT的证书验证通过后,根据第一密钥算法和OLT的公钥确定共享密钥。
ONU收到OLT的第一消息,对第一消息中包含的OLT的证书的有效性进行验证,验证的内容包括OLT的证书是否超期,验证OLT的证书的二级证书,验证OLT的证书是否被吊销等一种或多种。如果OLT的证书验证失败,则向OLT返回失败消息。可选的,如果第一消息包含OLT的数字签名,则ONU在验证OLT的证书之前,首先使用OLT的证书中包含的公钥验证OLT的签名信息。如果签名信息验证失败,则向OLT回复失败消息;如果签名信息验证成功,则进一步验证OLT的证书的有效性。需要说明的是,ONU可以根据预配置的签名算法信息,或根据第一消息中携带的签名算法的信息,对OLT的签名信息进行验证。
ONU对OLT的证书验证成功后,根据第一密钥算法和OLT的公钥确定共享密钥。具体的,ONU确定第一密钥算法对应的密钥参数(p和g),并生成一个随机数Ys_b作为ONU的私钥。然后将ONU的私钥Ys_b和密钥参数(p和g)作为输入,根据第一密钥算法计算获得ONU的公钥Yc_b;然后ONU将密钥参数p,ONU的私钥Ys_b,OLT的公钥Yc_a作为输入,根据第一密钥算法计算获得共享密钥SK。例如,ONU通过如下公式计算获得Yc_b和SK:
Yc_b=g^Ys_b mod p;
SK=Yc_a^Ys_b mod p
该共享密钥SK用于对OLT和ONU间通信进行加密和安全性保护。需要说明的是,ONU可以通过多种方式确定第一密钥算法对应的密钥参数(p和g),如根据预配置的参数,或根据第一消息中携带的OLT使用的密钥参数的集合。
230:ONU向OLT发送第二消息,第二消息包括所述ONU的证书和所述ONU的公钥。
ONU的证书为预置在ONU设备中,或ONU设备提前到证书服务器申请的数字证书;ONU的证书由证书服务器颁发,用于身份验证、数字签名等。与OLT的证书类似,ONU的证书也对应私钥和公钥,且ONU的证书对应的私钥和公钥,和ONU的私钥和公钥是两套密钥。
为提高安全性,ONU还可以使用ONU的证书所对应的私钥对第二消息进行数字签名,以确保第二消息的安全性和完整性。可选的,ONU还可以在第二消息中包含ONU已经确定共享密钥的指示信息。
240:OLT对ONU的证书认证通过后,根据第一密钥算法和ONU的公钥确定共享密钥。
OLT收到ONU的第二消息,对第二消息中包含的ONU的证书的有效性进行验证,验证的内容包括ONU的证书是否超期,验证ONU的证书的二级证书,验证ONU的证书是否被吊销等一种或多种。如果ONU的证书验证失败,则向ONU返回失败消息。可选的,如果第一消息包含ONU的数字签名,则OLT在验证ONU的证书之前,首先使用ONU的证书中包含的公钥验证ONU的签名信息。如果签名信息验证失败,则向ONU回复失败消息;如果签名信息验证成功,则进一步验证ONU的证书的有效性。
OLT对ONU的证书验证成功后,根据第一密钥算法和ONU的公钥确定共享密钥。具体的,ONU将密钥参数p,OLT的私钥Ys_a,ONU的公钥Yc_b作为输入,根据第一密钥算法计算获得共享密钥SK。例如,OLT通过如下公式计算获得SK:
SK=Yc_b^Ys_a mod p
基于模运算的定理(a^b mod P=(a mod P)^b mod P)可以证明,OLT和ONU可以通过如上方法计算获得相同的共享密钥。
Yc_b^Ys_a mod p
=(g^Ys_b mod p)^Ys_a mod p
=(g^Ys_b^Ys_a)mod p
=(g^Ys_a mod p)^Ys_b mod p
=Yc_a^Ys_b mod p
可选的,OLT在确定共享密钥后,还可以向ONU发送消息,消息名称或消息内容用于指示OLT已经确定共享密钥。
250、ONU和OLT使用共享密钥双方之间的通信进行加密和解密。
可见,图2所示的方法中,不仅实现了OLT对ONU的认证,ONU还可以对OLT的合法性进行认证,在没有引入其它设备或实体的情况下,实现了OLT和ONU的双向认证,提升了系统的安全性,降低了运维的难度。而且认证完成后,还协商出了共享密钥,OLT和ONU间的通信通过共享密钥进行加密保护,加强了对数据的安全性保护,提升了通信的安全等级。
基于图2所示的方法构思,图3给出了一种在GPON系统中基于光网络单元管理控制接口实现该方法的示例。光网络单元管理控制接口(ONU Management and Control Interface,OMCI)是GPON标准中定义的一种OLT与ONT之间信息交互的协议,用于在GPON网络中OLT对ONT的管理,包括配置管理、故障管理、性能管理和安全管理等。
301:OLT向ONU发送启动认证的请求。OLT可以在收到ONU的注册消息,并完成ONU的测距后发送该消息。该消息具体可以由OMCI协议的设置SET消息来实现,SET消息中携带OMCI属性“启动证书双向认证”。
302:ONU收到OLT发送的认证请求后,向OLT发送ONU握手消息。该消息具体可以由OMCI的属性值修改AVC消息来实现,即AVC消息中携带OMCI属性“ONU握手”;ONU握手具体包括ONU支持的算法,如密钥算法(如DH),签名算法(如RSA),哈希算法(如SHA256)等。
310:该消息对应图2所示的210消息。具体的,可以由OMCI协议的设置SET消息来实现,SET消息中携带OMCI属性“OLT握手”,“OLT认证”和“OLT密钥交换”。其中,“OLT握手”中包括OLT确定的第一密钥算法;“OLT认证”包括OLT的证书;“OLT密钥交换”包括OLT的公钥。
320:该步骤参见图2所示的220步骤,此处不再赘述。
330:该消息对应图2所示的230消息。具体的,可以由OMCI协议的属性值修改AVC消息来实现,AVC消息中携带OMCI属性“ONU认证”和“ONU密钥交换”。其中“ONU认证”包括ONU的证书,“ONU密钥交换”包括ONU的公钥。
340:该步骤参见图2所示的240步骤,此处不再赘述。
350:该步骤参见图2所示的250步骤,此处不再赘述。
还需要说明的是,OMCI协议中将OLT管理ONT的各种资源和业务抽象成协议独立管理信息库(protocol-independent Management Information Base),管理信息库的基本信息单元是管理实体(manage entity),ONT在OLT的控制下实现各个ME的配置管理功能。因此,本实施例针新增一种OMCI实体类型“认证安全实体”,图3中认证和密钥协商相关的OMCI消息中携带此“认证安全实体”和相应的OMCI属性。在另一种实施例中,还可以通过新增OMCI消息类型的方式实现如图2所示的方法流程,如新增“ONU认证”,“ONU密钥交换”,“OLT握手”,“OLT认证”和“OLT密钥交换”等消息类型。
本申请还提供一种设备400。设备400具体可以用于实现本申请实施例中OLT 110或ONU130的功能。如图4所示,该设备包括处理器401、存储器402和收发器403,该处理器 401、存储器402和收发器403通过线路相互连接。
处理器401可以采用通用的中央处理器(Central Processing Unit,CPU),微处理器,应用专用集成电路ASIC,或者至少一个集成电路,用于执行相关程序,以实现本发明实施例所提供的技术方案。处理器可以独立具备PON相关协议媒体访问控制(medium access control,MAC)的功能,也可以通过外置的芯片来实现PON协议MAC功能,以实现和OLT110和ONU 103间的通信。设备400可以包括多个处理器,每个处理器可以包括一个或多个CPU。处理器401具体负责执行本申请中OLT 110或ONU130相关的方法,并通过收发器403与OLT110或ONU130通信。
存储器402用于存储程序指令和数据。存储器可以是只读存储器(Read Only Memory,ROM),静态存储设备,动态存储设备或者随机存取存储器(Random Access Memory,RAM)。在通过软件或者固件来实现本发明实施例提供的技术方案时,用于实现本发明实施例提供的技术方案的程序代码保存在存储器402中,并由处理器401来执行。存储器402还可以用来存储记录本申请实施例中所述的算法、参数和密钥等信息。
在一实施例中,处理器401内部可以包括存储器402。在另一实施例中,处理器401和存储器402是两个独立的结构。
收发器403用于执行上述各实施例中收发信号或数据的操作。收发器803包括光发射器和/或光接收器。光发射器可以用于发送光信号,光接收器可以用于接收光信号。光发射器可以通过发光器件,例如气体激光器、固体激光器、液体激光器、半导体激光器、直调激光器等实现。光接收器可以通过光检测器,例如光电检波器或者光电二极管(如雪崩二极管)等实现。收发器403还可以包括数模转换器和模数转换器。收发器403还可以包括波分复用器,用于实现不同波长光信号的复用和解复用。
本发明实施例同样具有上述各个方法实施例中所描述的各种有益效果,在此不再赘述。
本发明还提供一种PON安全通信系统,该系统包括上述所述的光线路终端OLT 110和一个或多个光网络单元ONU 130。
在上述实施例中,可以全部或部分地通过软件、硬件、固件或者其任意组合来实现。当使用软件实现时,可以全部或部分地以计算机程序产品的形式实现。所述计算机程序产品包括一个或多个计算机指令。在计算机上加载和执行所述计算机程序指令时,全部或部分地产生按照本发明实施例所述的流程或功能。所述计算机可以是通用计算机、专用计算机、计算机网络、或者其他可编程装置。所述计算机指令可以存储在计算机可读存储介质中,或者从一个计算机可读存储介质向另一个计算机可读存储介质传输,例如,所述计算机指令可以从一个网站站点、计算机、服务器或数据中心通过有线(例如同轴电缆、光纤、数字用户线(DSL))或无线(例如红外、无线、微波等)方式向另一个网站站点、计算机、服务器或数据中心进行传输。所述计算机可读存储介质可以是计算机能够存取的任何可用介质或者是包含一个或多个可用介质集成的服务器、数据中心等数据存储设备。所述可用介质可以是磁性介质,(例如,软盘、硬盘、磁带)、光介质(例如,DVD)、或者半导体介质(例如固态硬盘Solid State Disk(SSD))等。
Claims (39)
- 一种安全通信方法,其特征在于,包括:OLT向ONU发送第一消息,所述第一消息包括第一密钥算法,所述OLT的证书和所述OLT的公钥,所述第一密钥算法为所述OLT和所述ONU都支持的密钥算法;所述ONU对所述OLT的证书验证通过后,根据所述第一密钥算法和所述OLT的公钥确定共享密钥;所述ONU向所述OLT发送第二消息,所述第二消息包括所述ONU的证书和所述ONU的公钥;所述OLT对所述ONU的证书验证通过后,根据所述第一密钥算法和所述ONU的公钥确定所述共享密钥;所述ONU和所述OLT使用所述共享密钥对所述ONU和所述OLT间的通信进行加密。
- 根据权利要求1所述的方法,其特征在于,所述方法还包括:所述ONU接收所述OLT发送的认证请求;所述ONU向所述OLT发送第三消息,所述第三消息包括所述ONU支持的密钥算法;所述OLT根据所述ONU支持的密钥算法和所述OLT支持的密钥算法,确定第一密钥算法。
- 根据权利要求1或2所述的方法,其特征在于,所述第一消息中还包括密钥参数集合,所述密钥参数集合中包括一个或多个密钥参数。
- 根据权利要求3所述的方法,其特征在于,所述方法还包括:所述OLT将随机数作为所述OLT的私钥,所述OLT根据所述第一密钥算法,第一密钥参数和所述OLT的私钥确定所述OLT的公钥,所述第一密钥参数为所述密钥参数集合中的一个或多个密钥参数;所述ONU将随机数作为所述ONU的私钥,所述ONU根据所述第一密钥算法,所述第一密钥参数和所述ONU的私钥确定所述ONU的公钥。
- 根据权利要求3所述的方法,其特征在于,所述ONU根据所述第一密钥算法和所述OLT的公钥确定共享密钥,具体包括:所述ONU根据所述第一密钥算法,第二密钥参数,所述OLT的公钥和所述ONU的私钥确定所述共享密钥,所述第二密钥参数为所述密钥参数集合中的一个或多个密钥参数;所述OLT根据所述第一密钥算法和所述ONU的公钥确定共享密钥,具体包括:所述OLT根据所述第一密钥算法,所述第二密钥参数,所述ONU的公钥和所述OLT的私钥确定所述共享密钥。
- 根据权利要求1-5任一所述的方法,其特征在于,所述OLT使用所述OLT的证书对应的私钥对所述第一消息进行数字签名;所述ONU使用所述ONU的证书对应的私钥对所述第二消息进行数字签名。
- 根据权利要求1-6任一所述的方法,其特征在于,所述OLT在收到所述ONU的注册消息后,向所述ONU发送所述第一消息。
- 根据权利要求2所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求通过光网络终端管理控制接口(optical network terminal management and control interface,OMCI)消息传输。
- 根据权利要求8所述的方法,其特征在于,所述认证消息和所述第一消息为OMCI设 置SET消息;所述第二消息和所述第三消息为OMCI属性值修改(Attribute Value Change,AVC)消息。
- 根据权利要求8所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求分别对应OMCI不同的消息类型。
- 根据权利要求8所述的方法,其特征在于,用于传递所述第一消息,第二消息,第三消息,和认证请求的OMCI消息中还包括安全认证管理实体的标识。
- 根据权利要求1-11所述的方法,其特征在于,所述第二消息中还包括用于指示已经生成共享密钥的指示信息;所述OLT确定所述共享密钥后,所述OLT还向所述ONU发送指示信息,指示已经生成共享密钥。
- 一种安全通信方法,其特征在于,包括:OLT向ONU发送第一消息,所述第一消息包括第一密钥算法,所述OLT的证书和所述OLT的公钥,所述第一密钥算法为所述OLT和所述ONU都支持的密钥算法;所述OLT接收来自所述ONU的第二消息,所述第二消息包括所述ONU的证书和所述ONU的公钥;所述OLT对所述ONU的证书验证通过后,根据所述第一密钥算法和所述ONU的公钥确定共享密钥,所述共享密钥用于对所述OLT和所述ONU间的会话进行加密。
- 根据权利要求13所述的方法,其特征在于,所述OLT发送第一消息之前,所述方法还包括:所述OLT向所述ONU发送认证请求;所述OLT接收所述ONU发送的第三消息,所述第三消息包括所述ONU支持的密钥算法;所述OLT根据所述ONU支持的密钥算法和所述OLT支持的密钥算法,确定第一密钥算法。
- 根据权利要求13或14所述的方法,其特征在于,所述第一消息中还包括密钥参数集合,所述密钥参数集合中包括一个或多个密钥参数。
- 根据权利要求13所述的方法,其特征在于,所述方法还包括:所述OLT将随机数作为所述OLT的私钥,所述OLT根据所述第一密钥算法,第一密钥参数和所述OLT的私钥确定所述OLT的公钥,所述第一密钥参数为所述密钥参数集合中的一个或多个密钥参数。
- 根据权利要求13所述的方法,其特征在于,所述OLT根据所述第一密钥算法和所述ONU的公钥确定共享密钥,具体包括:所述OLT根据所述第一密钥算法,第二密钥参数,所述ONU的公钥和所述OLT的私钥确定所述共享密钥,所述第二密钥参数为所述密钥参数集合中的一个或多个密钥参数。
- 根据权利要求13-17任一所述的方法,其特征在于,所述OLT使用所述OLT的证书对应的私钥对所述第一消息进行数字签名。
- 根据权利要求13-18任一所述的方法,其特征在于,所述OLT在收到所述ONU的注册消息后,向所述ONU发送所述第一消息。
- 根据权利要求14所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求通过光网络终端管理控制接口(optical network terminal management and control interface,OMCI)消息传输。
- 根据权利要求20所述的方法,其特征在于,所述认证消息和所述第一消息为OMCI设置SET消息;所述第二消息和所述第三消息为OMCI属性值修改(Attribute Value Change, AVC)消息。
- 根据权利要求20所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求分别对应OMCI不同的消息类型。
- 根据权利要求20所述的方法,其特征在于,用于传递所述第一消息,第二消息,第三消息,和认证请求的OMCI消息中还包括安全认证管理实体的标识。
- 根据权利要求13-23所述的方法,其特征在于,所述第二消息中还包括用于指示已经生成共享密钥的指示信息;所述OLT确定所述共享密钥后,所述OLT还向所述ONU发送指示信息,指示已经生成共享密钥。
- 一种安全通信方法,其特征在于,包括:ONU接收OLT发送的第一消息,所述第一消息包括第一密钥算法,所述OLT的证书和所述OLT的公钥,所述第一密钥算法为所述OLT和所述ONU都支持的密钥算法;所述ONU对所述OLT的证书验证通过后,根据所述第一密钥算法和所述OLT的公钥确定共享密钥,所述共享密钥用于对所述OLT和所述ONU间的会话进行加密;所述ONU向所述OLT发送第二消息,所述第二消息包括所述ONU的证书和所述ONU的公钥,所述ONU的公钥用于使OLT确定所述共享密钥。
- 根据权利要求25所述的方法,其特征在于,所述方法还包括:所述ONU接收所述OLT发送的认证请求;所述ONU向所述OLT发送第三消息,所述第三消息包括所述ONU支持的密钥算法。
- 根据权利要求25或26所述的方法,其特征在于,所述第一消息中还包括密钥参数集合,所述密钥参数集合中包括一个或多个密钥参数。
- 根据权利要求27所述的方法,其特征在于,所述方法还包括:所述ONU将随机数作为所述ONU的私钥,所述ONU根据所述第一密钥算法,所述第一密钥参数和所述ONU的私钥确定所述ONU的公钥。
- 根据权利要求27所述的方法,其特征在于,所述ONU根据所述第一密钥算法和所述OLT的公钥确定共享密钥,具体包括:所述ONU根据所述第一密钥算法,第二密钥参数,所述OLT的公钥和所述ONU的私钥确定所述共享密钥,所述第二密钥参数为所述密钥参数集合中的一个或多个密钥参数。
- 根据权利要求25-29任一所述的方法,其特征在于,所述ONU使用所述ONU的证书对应的私钥对所述第二消息进行数字签名。
- 根据权利要求25-30任一所述的方法,其特征在于,所述ONU向所述OLT发送注册消息后,收到所述第一消息。
- 根据权利要求26所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求通过光网络终端管理控制接口(optical network terminal management and control interface,OMCI)消息传输。
- 根据权利要求32所述的方法,其特征在于,所述认证消息和所述第一消息为OMCI设置SET消息;所述第二消息和所述第三消息为OMCI属性值修改(Attribute Value Change,AVC)消息。
- 根据权利要求32所述的方法,其特征在于,所述第一消息,第二消息,第三消息和认证请求分别对应OMCI不同的消息类型。
- 根据权利要求32所述的方法,其特征在于,用于传递所述第一消息,第二消息,第 三消息,和认证请求的OMCI消息中还包括安全认证管理实体的标识。
- 根据权利要求25-35所述的方法,其特征在于,所述第二消息中还包括用于指示已经生成共享密钥的指示信息。
- 一种光线路终端,其特征在于,所述光线路终端包括处理器、存储器、和收发器,其中,所述收发器,用于进行信号或数据的收发;所述存储器,用于存储程序指令;所述处理器,用于执行所述存储器中存储的程序指令,当所述程序被执行时,所述光线路终端执行如权利要求13-24中任意一项所述的方法。
- 一种光网络单元,其特征在于,所述光网络单元包括处理器、存储器、和收发器,其中,所述收发器,用于进行信号或数据的收发;所述存储器,用于存储程序指令;所述处理器,用于执行所述存储器中存储的程序指令,当所述程序被执行时,所述光网络单元执行如权利要求25-36中任意一项所述的方法。
- 一种PON安全通信系统,其特征在于,所述PON安全通信系统包括如权利要求37所述的光线路终端和如权利要求38所述的光网络单元。
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US18/124,194 US20230231728A1 (en) | 2020-09-22 | 2023-03-21 | Secure communication method and apparatus in passive optical network |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN202011002853.0 | 2020-09-22 | ||
CN202011002853.0A CN114302264A (zh) | 2020-09-22 | 2020-09-22 | 一种无源光网络中的安全通信方法和装置 |
Related Child Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US18/124,194 Continuation US20230231728A1 (en) | 2020-09-22 | 2023-03-21 | Secure communication method and apparatus in passive optical network |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2022062948A1 true WO2022062948A1 (zh) | 2022-03-31 |
Family
ID=80845016
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2021/118085 WO2022062948A1 (zh) | 2020-09-22 | 2021-09-14 | 一种无源光网络中的安全通信方法和装置 |
Country Status (3)
Country | Link |
---|---|
US (1) | US20230231728A1 (zh) |
CN (1) | CN114302264A (zh) |
WO (1) | WO2022062948A1 (zh) |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101662705A (zh) * | 2009-10-19 | 2010-03-03 | 国网信息通信有限公司 | 以太网无源光网络epon的设备认证方法及系统 |
CN102246487A (zh) * | 2008-11-03 | 2011-11-16 | 意大利电信股份公司 | 提高无源光网络中的安全性的方法 |
CN103905209A (zh) * | 2014-04-30 | 2014-07-02 | 殷爱菡 | 基于NTRUSign无源光网络接入双向认证的方法 |
US20150156014A1 (en) * | 2013-12-02 | 2015-06-04 | Alcatel-Lucent Usa Inc. | Method And Apparatus For ONU Authentication |
-
2020
- 2020-09-22 CN CN202011002853.0A patent/CN114302264A/zh active Pending
-
2021
- 2021-09-14 WO PCT/CN2021/118085 patent/WO2022062948A1/zh active Application Filing
-
2023
- 2023-03-21 US US18/124,194 patent/US20230231728A1/en active Pending
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN102246487A (zh) * | 2008-11-03 | 2011-11-16 | 意大利电信股份公司 | 提高无源光网络中的安全性的方法 |
CN101662705A (zh) * | 2009-10-19 | 2010-03-03 | 国网信息通信有限公司 | 以太网无源光网络epon的设备认证方法及系统 |
US20150156014A1 (en) * | 2013-12-02 | 2015-06-04 | Alcatel-Lucent Usa Inc. | Method And Apparatus For ONU Authentication |
CN103905209A (zh) * | 2014-04-30 | 2014-07-02 | 殷爱菡 | 基于NTRUSign无源光网络接入双向认证的方法 |
Also Published As
Publication number | Publication date |
---|---|
US20230231728A1 (en) | 2023-07-20 |
CN114302264A (zh) | 2022-04-08 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
JP5366108B2 (ja) | 光ネットワーク終端装置管理制御インターフェースベースの受動光ネットワークセキュリティ強化 | |
US9838363B2 (en) | Authentication and initial key exchange in ethernet passive optical network over coaxial network | |
KR100675836B1 (ko) | Epon 구간내에서의 링크 보안을 위한 인증 방법 | |
US8490159B2 (en) | Method for increasing security in a passive optical network | |
KR100715679B1 (ko) | 인증 암호화를 통해 보안 전송을 가능하게 하는 gpon시스템 및 그 인증 암호화 방법 | |
US8948401B2 (en) | Method for filtering of abnormal ONT with same serial number in a GPON system | |
EP2439871B1 (en) | Method and device for encrypting multicast service in passive optical network system | |
JP4739419B2 (ja) | イーサネットポンにおける保安チャネルの制御方法及び装置 | |
WO2022062948A1 (zh) | 一种无源光网络中的安全通信方法和装置 | |
WO2014101084A1 (zh) | 一种认证方法、设备和系统 | |
CN101998180B (zh) | 一种支持光线路终端和光网络单元版本兼容的方法及系统 | |
KR100606095B1 (ko) | 수동 광가입자망 시스템에서 가입자 인증 후 암호화 키의전달 방법 및 장치 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 21871319 Country of ref document: EP Kind code of ref document: A1 |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
122 | Ep: pct application non-entry in european phase |
Ref document number: 21871319 Country of ref document: EP Kind code of ref document: A1 |