WO2022161369A1 - Procédé et appareil de traitement d'informations de gestion de sécurité pour réseau de transport optique - Google Patents

Procédé et appareil de traitement d'informations de gestion de sécurité pour réseau de transport optique Download PDF

Info

Publication number
WO2022161369A1
WO2022161369A1 PCT/CN2022/073865 CN2022073865W WO2022161369A1 WO 2022161369 A1 WO2022161369 A1 WO 2022161369A1 CN 2022073865 W CN2022073865 W CN 2022073865W WO 2022161369 A1 WO2022161369 A1 WO 2022161369A1
Authority
WO
WIPO (PCT)
Prior art keywords
osu
encryption
oam
frame
security management
Prior art date
Application number
PCT/CN2022/073865
Other languages
English (en)
Chinese (zh)
Inventor
童玲玲
张源斌
Original Assignee
中兴通讯股份有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 中兴通讯股份有限公司 filed Critical 中兴通讯股份有限公司
Publication of WO2022161369A1 publication Critical patent/WO2022161369A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/04Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
    • H04L63/0428Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
    • H04L63/0435Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload wherein the sending and receiving network entities apply symmetric encryption, i.e. same key used for encryption and decryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04JMULTIPLEX COMMUNICATION
    • H04J3/00Time-division multiplex systems
    • H04J3/16Time-division multiplex systems in which the time allocation to individual channels within a transmission cycle is variable, e.g. to accommodate varying complexity of signals, to vary number of channels transmitted
    • H04J3/1605Fixed allocated frame structures
    • H04J3/1652Optical Transport Network [OTN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/083Network architectures or network communication protocols for network security for authentication of entities using passwords
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • H04L63/0869Network architectures or network communication protocols for network security for authentication of entities for achieving mutual authentication

Definitions

  • the embodiments of the present disclosure relate to the field of communications, and in particular, to a method and device for processing security management information in an optical transport network.
  • SFH Secure Frame Header, secure frame header
  • SFB Secure Frame Body, security frame body
  • SFC Secure Frame Check, security frame check
  • SFC and SFH are collectively called the encapsulation information of the security frame.
  • the security implementation of FlexO determines that the encapsulation information SFH and SFC of the security frame are carried in the FlexO overhead. ODU security implementation method Because there are few reserved fields in the ODU overhead, it is necessary to consider the transmission of the security frame encapsulation information SFH and SFC in a multi-frame manner.
  • OSU Optical Service Unit, Optical Service Unit
  • the OSU technology mainly maps small-granularity services to the OSU, divides the payload area of the OTN (Optical Transport Network, Optical Transport Network) frame into multiple PB (Payload Block, payload block) blocks, and complexes the OSU frame according to a specific algorithm. It is used in the PB block, and finally the transmission of the OSU is completed through the optical port.
  • OSU supports PM (Path Monitor, channel detection) and multiple TCM (Tandem Connection Monitor, tandem connection monitoring) levels of state monitoring.
  • PM Path Monitor, channel detection
  • TCM Tandem Connection Monitor, tandem connection monitoring
  • the embodiments of the present disclosure provide a method and device for processing security management information of an optical transport network, so as to at least solve the problem of how to ensure the security of OSU transmission in the related art.
  • a method for processing security management information of an optical transport network comprising: inserting an OSU OAM security management frame in an OSU every N OSU frames, and adding an OSU OAM security management frame to the N OSU frames. Perform encryption processing; carry the encrypted security frame header SFH into the OSU OAM (Operation Administration Maintenance) security management frame before the N OSU frames, wherein, in the OSU, every interval of the N The OSU frame is inserted into one of the OSU OAM security management frames.
  • OSU OAM Operaation Administration Maintenance
  • an apparatus for processing security management information of an optical transport network comprising: an encryption module configured to perform encryption processing on N OSU frames of an OSU of an optical service unit; a bearer module , set to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
  • a computer-readable storage medium is also provided, where a computer program is stored in the storage medium, wherein the computer program is configured to execute any one of the above method embodiments when running steps in .
  • an electronic device comprising a memory and a processor, wherein the memory stores a computer program, the processor is configured to run the computer program to execute any of the above Steps in Method Examples.
  • an OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted;
  • the OSU OAM security management frame the problem of how to ensure the security of OSU transmission in the related art can be solved, and the OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry the N number of OSU frames used for encryption.
  • Security Frame Encapsulation Information (SFH) to ensure the safe transmission of OSU frames.
  • FIG. 1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure
  • FIG. 2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure
  • FIG. 3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure
  • Figure 4 is a schematic diagram of the Nx frame OSU covered by the OSU OAM security management frame
  • Figure 5 is a schematic diagram of the overhead byte position of the OSU OAM security management frame
  • Figure 6 is a schematic diagram of the SFH and SFC at each level of the OSU OAM security management frame
  • FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the present disclosure.
  • FIG. 8 is a schematic diagram of a message format in an identity authentication process according to an optional embodiment of the disclosure.
  • FIG. 9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the disclosure.
  • FIG. 10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure.
  • FIG. 11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure
  • Figure 12 is a schematic diagram of OSU encryption at PM, TCM1 and TCM2 layers;
  • Nx and Ny take a fixed OSU period
  • Nz takes an unfixed OSU period according to an optional embodiment of the disclosure
  • Figure 14 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (1);
  • Figure 15 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (2);
  • Figure 16 is a schematic diagram of Nx and Ny taking a fixed OSU cycle, and Nz taking an unfixed OSU cycle (3);
  • FIG. 17 is an example flowchart of a specific message of an identity authentication process according to an optional embodiment of the present disclosure.
  • 18 is a structural diagram of an apparatus for processing security management information of an optical transport network according to an embodiment of the present disclosure
  • FIG. 19 is a structural diagram of a security management information processing apparatus of an optical transport network according to a preferred embodiment of the present disclosure.
  • FIG. 1 is a hardware structural block diagram of a mobile terminal of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure.
  • the mobile terminal may include one or more (Fig.
  • a processor 102 may include, but is not limited to, a processing device such as a microprocessor MCU or a programmable logic device FPGA, etc.
  • a memory 104 for storing data
  • the above-mentioned mobile terminal may also Transmission devices 106 and input and output devices 108 are included for communication functions.
  • FIG. 1 is only a schematic diagram, which does not limit the structure of the above-mentioned mobile terminal.
  • the mobile terminal may also include more or fewer components than those shown in FIG. 1 , or have a different configuration than that shown in FIG. 1 .
  • the memory 104 can be used to store computer programs, for example, software programs and modules of application software, such as computer programs corresponding to the method for processing security management information of the optical transport network in the embodiment of the present disclosure.
  • a computer program is used to execute various functional applications and slicing processing of the business chain address pool, that is, to implement the above method.
  • Memory 104 may include high-speed random access memory, and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory.
  • the memory 104 may further include memory located remotely from the processor 102, and these remote memories may be connected to the mobile terminal through a network. Examples of such networks include, but are not limited to, the Internet, an intranet, a local area network, a mobile communication network, and combinations thereof.
  • Transmission means 106 are used to receive or transmit data via a network.
  • the specific example of the above-mentioned network may include a wireless network provided by a communication provider of the mobile terminal.
  • the transmission device 106 includes a network adapter (Network Interface Controller, NIC for short), which can be connected to other network devices through a base station so as to communicate with the Internet.
  • the transmission device 106 may be a radio frequency (Radio Frequency, RF for short) module, which is used to communicate with the Internet in a wireless manner.
  • RF Radio Frequency
  • FIG. 2 is a flowchart of a method for processing security management information of an optical transport network according to an embodiment of the present disclosure ( 1), as shown in Figure 2, the process includes the following steps:
  • Step S202 inserting OSU OAM security management frames at every interval of N OSU frames in the OSU, and encrypting the N OSU frames;
  • Step S204 carrying the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
  • the OSU OAM security management frame is inserted into the OSU every N OSU frames, and the N OSU frames are encrypted; the encrypted security frame header SFH is carried to the N OSUs
  • the OSU OAM security management frame before the frame can solve the problem of how to ensure the security of OSU transmission in the related art.
  • the OSU OAM security management frame is inserted every N OSU frames, and the OSU OAM security management frame is used to carry N OSU frames.
  • the security frame encapsulation information (ie SFH) used for encryption ensures the secure transmission of OSU frames.
  • the method further includes: performing the integrity calculation required for the authentication on the N OSU frames, and carrying the security frame check SFC required for the authentication into the N OSU frames in the OSU OAM security management frame after that.
  • the method before the above step S202, the method further includes: performing bidirectional identity authentication with the encryption sink.
  • the encryption sink before encrypting the OSU frame, it is also necessary to perform bidirectional identity authentication with the encryption sink, and further, send a first identity authentication request message to the encryption sink, wherein the first identity authentication request message carries the authentication right information and the processed first private key information; receive the first identity authentication response message sent by the encryption sink after the authentication is performed according to the authentication information and the authentication is passed, wherein the first identity authentication response message contains It carries the processed second private key information and encrypted information, and the encrypted information is the temporary K pair that is obtained by the encryption sink according to the processed first private key information and the second private key information.
  • the OSU frame bearing the OSU OAM security management frame is sent to The encryption sink, wherein the encryption sink is configured to decrypt the OSU frame according to the OSU OAM security management frame.
  • the OSU frame after the security frame encapsulation information is carried in the OSU OAM security management frame, the OSU frame also needs to be sent to the encryption sink for decrypting the OSU frame, wherein the security frame encapsulation information includes SFH and/or SFC.
  • the above step S202 may specifically include: if the OSU OAM security management frame is not detected from the OSU, the current encryption level A of the OSU is M encryptions of the OSU frame The first start-up encryption level in the level, inserts the OSU OAM security management frame every N OSU frames, encrypts the N OSU frames, and sets the encryption state of the encryption level A in the OAM frame to Encrypt, set the value of N in it to a known value.
  • the current encryption level A of the OSU is not the first one to be activated among M encryption levels of the OSU frame Encryption level, performing encryption processing on the N OSU frames, and carrying the generated security encapsulation information in the overhead corresponding to the encryption level B of the OSU OAM management frame.
  • the encryption function of the OSU frame is activated, or the encryption and authentication functions of the OSU frame are activated.
  • the encryption function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated.
  • the authentication function of the OSU frame needs to be activated first, and then it is determined that the current level is sufficient to be the first encryption level to be activated.
  • the value of N is determined according to the available bandwidth of the OSU security management frame and the encryption processing delay requirement.
  • N needs to be determined first, and then it is determined whether the current level is the first activated encryption level.
  • the encryption state of the encryption source end of the encryption level A and the encryption state of the encryption source end of the encryption level A are obtained from the OSU OAM security management frame.
  • the value of N is determined to enable the encryption function of encryption level B, or the encryption and authentication functions; the encryption state of the encryption level B is set to the encrypted state, and is carried in the OSU OAM security management frame.
  • the above step S204 includes: carrying the security frame encapsulation information in the overhead corresponding to the encryption level A in the OSU OAM security management frame.
  • the security frame encapsulation information needs to be carried in the overhead corresponding to the encryption level A, wherein the OSU OAM security management frame includes M encryption levels corresponding to the The overhead for storing the encryption state, the overhead for storing the N value, and the overhead for storing the security frame header SFH and/or the security frame check SFC of the M encryption levels, the security frame encapsulation information includes the security frame header SFH and/or or Security Frame Check SFC.
  • the value of N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame. That is, the N value and the encrypted state can also be carried in the OSU OAM security management frame.
  • FIG. 3 is a flowchart of a method for processing security management information of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 3 , the flowchart includes the following steps:
  • Step S302 identify the OSU OAM security management frame from the received OSU;
  • Step S304 decrypt the OSU according to the OSU OAM security management frame.
  • the above step S304 includes: identifying the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is the encryption level In the case of the decryption end of A, decrypt the OSU according to the OSU OAM security management frame.
  • the above step S304 includes: extracting the value of N and SFH from the OSU OAM security management frame; judging whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is N; If the determination result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
  • decrypting N OSU frames according to the SFH to obtain a plaintext OSU includes: if the OSU OAM security management frame also carries the N security frames used for authentication of the OSU frames The SFC is checked, and the N OSU frames are authenticated according to the SFC; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
  • the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU frames.
  • the method further includes: when the encryption state of the encryption level A is an encrypted state and is not the decryption end of the encryption level A, transparently transmitting the OSU frame.
  • the OSU frame can also be transparently transmitted under the condition that the encryption state is not the decryption end.
  • the encryption state of encryption level A in the OSU OAM security management frame is set to unencrypted. That is, the encryption status can also be cleared and set to unencrypted.
  • the OSU security implementation method of authentication combined with encryption is as follows:
  • Step 1 After the OSUP or OSUT is generated, you can choose the level Q to enable encryption and authentication. If the current Q level is the first level to enable encryption among all levels of the OSU service, the local end will insert it every Nx OSU frames.
  • An OSU OAM security management frame the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried in the OSU OAM security management frame. If the encryption source of this layer is not the first encryption layer enabled by the OSU service, the OSU OAM security management frame in the OSU frame is identified, and the security frame encapsulation information generated by encrypting and authenticating Nx OSU frames is carried to the OSU frame. OSU OAM security management frame.
  • Step 2 Carry the Nx value in the OSU OAM security management frame.
  • the Nx value is variable for the same OSU service, and Nx is the number of OSU frames between two OSU OAM security management frames.
  • Figure 4 shows the OSU OAM
  • Figure 4 shows a schematic diagram of the OSU of the Nx frame covered by the security management frame. The selection of Nx needs to comprehensively consider the influence of three factors: OSU OAM security management frame bandwidth, buffering and delay introduced by OSU encryption and authentication, and encryption The encryption block size of the algorithm.
  • Step 3 Figure 5 is a schematic diagram of the location of the overhead bytes of the OSU OAM security management frame. As shown in Figure 5, in the overhead of the OSU OAM security management frame, the state indications representing the M levels of encryption of the OSU are respectively defined, and the encrypted state and unencrypted state are respectively defined. Status distinction.
  • Step 4 If the encryption source end of this level Q does not enable encryption and authentication functions, then the encryption state of this level is set to the unencrypted state, and the OSU OAM security management frames of other levels are transparently transmitted. If the encryption and authentication functions are enabled at the encryption source end of level Q, the encryption state of the Q level is set to the encryption state.
  • Step 5 Figure 6 is a schematic diagram of SFH and SFC at each level of the OSU OAM security management frame.
  • the encryption source end of the Q layer encrypts Nx OSU frames between adjacent OSU OAM management frames according to 128bit blocks. and authentication, and carry the security frame encapsulation information generated by encryption and authentication in the OSU OAM security management frame of the corresponding level.
  • Step 6 The encryption sink node identifies the OSU OAM security management frame, identifies a certain Q-layer encryption state from the OSU OAM security management frame, and determines whether the node corresponds to the Q-level decryption end, and if so, extracts the OSU OAM security management Nx value and security encryption overhead in the frame, and determine whether the number of OSU frames between two adjacent OSU OAM frames is Nx, if so, use the security encryption overhead to authenticate and decrypt Nx OSU frames to obtain OSUQ level decryption plaintext after. If it is recognized that the node is not the decryption terminal corresponding to the Q level, or the encryption of the P level is enabled on the node (Q is not equal to P), the corresponding OAM security management frame and OSU frame are transparently transmitted.
  • the OSU security implementation method of encryption combined with authentication is as follows:
  • FIG. 7 is a schematic diagram of an identity authentication process according to an optional embodiment of the disclosure, as shown in FIG. 7 , including:
  • Step S1 identity authentication request message type I
  • Step S2 identity authentication response message type I or type II;
  • Step S3 identity authentication request message type II or response message type II;
  • Step S4 identity authentication response message type II.
  • the identity authentication request message type I includes fixed authentication information and private key material information
  • the identity authentication response message type I includes Random authentication information and private key material information
  • identity authentication request message type II includes authentication subject information
  • identity authentication response message type II includes authentication results.
  • FIG. 9 is a schematic diagram of a TCM1-level OSU-encrypted OAM security management frame according to an optional embodiment of the present disclosure.
  • nodes A and B correspond to an OTN branch line integration function device
  • nodes A1 and A2 correspond to A, respectively.
  • the different function points of the node A1 corresponds to the customer service generation OSUP or the demultiplexed customer service in the OSUP
  • A2 corresponds to the OSUT overhead processing function and the adaptation function point multiplexed to the OPU or demultiplexed from the OPU to the OSU and OSUT. overhead processing.
  • Nodes B1 and B2 correspond to different function points of node B, and the specific functions are equivalent to the inverse process of nodes A1 and A2. It includes the following steps:
  • Step S1 the CBR service Client is mapped to OSU; meanwhile, PM encryption is not enabled;
  • Step S2 generate the OSU frame; meanwhile, determine the Nx frame, the encryption and authentication is completed, and the Nx and TCM1 encryption is inserted into the OAM security management to be encrypted;
  • Step S3 generating an OSU frame + OSU OAM security management frame; at the same time, locally obtaining the encryption enablement of the TCM1 layer, identifying the OSU OAM security management frame, obtaining the Nx value that the encryption source TCM1 is in an encrypted state, performing authentication and decryption, and clearing the encryption of TCM1 enabled state;
  • Step S4 generating an OSU frame
  • Step S5 CBR service ClientA.
  • step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks. If the encryption function is not enabled at the PM level, the OAM security management frame will not be inserted.
  • Step 2 The A2 end learns from the local that TCM1 encryption is enabled at the local end, and at the same time recognizes that the TCM1 layer is the first layer of encryption enabled by the current OSU service, and determines the Nx value. Under the condition that the Nx value is balanced, Nx can take a value. It is 64. In the case of combining the identity authentication process, it can be considered that the value of Nx is larger, such as 128.
  • Encrypt and authenticate 64 consecutive OSU frames, that is, 768 blocks of 128bitblock, and carry the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information of the TCM1 level of the OSU OAM security management frame, as shown in Figure 10 10 is a schematic diagram of OSU encryption at the TCM1 layer according to an optional embodiment of the disclosure.
  • Step 4 After the B1 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the source end of the TCM1 layer is in an encrypted state, the Nx value is 64, and the security frame encapsulation information obtained by encryption and authentication is obtained locally.
  • the local end has enabled the encryption and authentication function of the TCM1 level, and judges that the local end is the decryption end of the TCM1 level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is Nx, and if so, use the security frame
  • the encapsulation information authenticates and decrypts Nx OSU frames to obtain the plaintext decrypted at the OSU TCM1 level.
  • Step 5 the B2 end demaps the OSU plaintext to obtain the service ClientA.
  • FIG. 11 is a schematic diagram of a PM+TCM1TCM2 three-layer encryption OSU OAM security management frame according to an optional embodiment of the disclosure, the A node and the B node are connected through the OTU2, and the B and C nodes are connected through the OTU4.
  • the client side accesses the CBR service clientA at a rate of 155.520Mbit/s, generates an OSU frame through mapping, and performs PM-level encryption and authentication on the OSU at the A1 end.
  • the A2 side performs TCM1-level encryption and authentication on the OSU
  • the B1 side performs TCM1-level authentication and decryption on the OSU
  • the B2 side performs TCM2-level encryption and authentication on the OSU
  • the C1 side performs TCM2-level authentication and decryption on the OSU.
  • the OSUPM layer is authenticated and decrypted to finally obtain the CBR service ClientA, as shown in Figure 11, including:
  • Step S1 the CBR service Client is mapped to the OSU, and the encryption period is determined to be Nx; at the same time, the Nx frame encryption and authentication is completed, Nx is inserted into the OAM security management frame, the PM encryption state is the encrypted state and the security frame encapsulation information after encryption and authentication ;
  • Step S2 generate OAM security management frame; At the same time, identify OAM security management frame, obtain PM as encrypted state and Nx, local end TCM1 starts encryption authentication, and inserts TCM1 encryption enable state in current OAM frame;
  • Step S3 generate the OAM security management frame; meanwhile, locally obtain the TCM1 encryption and authentication enablement, identify the OAM security management frame, obtain the encrypted state of the encryption source PM+TCM1 and the OSU frame period Nx, perform the TCM1 layer authentication and decryption, and clear TCM1 encryption enabled state;
  • Step S4 generates OAM security management frame; At the same time, identify OAM security management frame, obtain encryption source PM to be encrypted state and Nx, local TCM2 starts encryption authentication, and inserts TCM2 encryption enabling state in current OAM frame;
  • Step S5 generate the OAM security management frame; At the same time, identify the OAM security management frame, obtain the encrypted state and Nx of the encryption source PM+TCM2, carry out the TCM2 layer authentication and decryption, and clear the TCM2 encryption enabled state;
  • Step S6 generating the OAM security management frame; meanwhile, identifying the OAM security management frame, obtaining the encrypted source PM as the encrypted state and Nx, performing PM layer authentication and decryption, intermediating the OAM security management frame, and obtaining the OSU (CBR) original text;
  • step S7 the service ClientA is obtained.
  • step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB are both 192 bytes in length and divided into 12 128-bit blocks.
  • the A1 end learns from the local that the local end is set to start the PM layer encryption.
  • the PM layer determines the Nx value for the first encryption and authentication layer. Under the condition that the Nx value is considered in a balanced manner, the Nx value can be 64. In combination with the identity authentication In the case of the process, it can be considered that the value of Nx is larger, such as 128.
  • Figure 12 is a schematic diagram of OSU encryption at the PM, TCM1 and TCM2 layers.
  • Step 3 After A2 recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, and the Nx value is 64. At the same time, it learns from the local that the local end has enabled TCM1-level encryption authentication. Function, determine that the local end is the encryption source end of TCM1 level, set the encryption state of TCM1 level to the encrypted state and carry it in the OSU OAM security management frame. The A2 side authenticates and encrypts 64 consecutive OSU frames in the TCM1 level, and carries the OSU security frame encapsulation information generated by encryption and authentication in the security frame encapsulation information of the TCM1 level of the current OSU OAM security management frame.
  • Step 5 after the B2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64 and the PM layer security frame encapsulation information obtained by encryption and authentication, At the same time, it is learned from the local that the encryption and authentication function of the TCM2 level is enabled at the local end, and it is determined that the local end is the encryption source end of the TCM2 level, and the encryption state of the TCM2 level is set to the encrypted state, which is carried in the OSU OAM security management frame.
  • the B2 side performs encryption and authentication on the TCM2 level of 64 consecutive OSU frames, and carries the OSU security frame encapsulation information generated by the encryption and authentication in the security frame encapsulation information at the TCM2 level of the current OSU OAM security management frame.
  • Step 7 after the C2 end recognizes the OSU OAM security management frame, it obtains from the OSU OAM security management frame that the PM layer source end is in an encrypted state, the Nx value is 64, and the PM layer security frame encapsulation information obtained by encryption and authentication, and at the same time.
  • Step 8 the C2 end demaps the OSU to obtain the service ClientA.
  • FIG. 13 is a schematic diagram of a security information processing flow in which Nx and Ny take a fixed OSU period, and Nz takes an unfixed OSU period, according to an optional embodiment of the present disclosure
  • a node A and a node B are connected through OTU2
  • three different services ClientA on the client side ClientB and ClientC
  • ClientA is CBR service
  • the rate is 155Mbit/s
  • ClientB is PKT service
  • the maximum guaranteed flow is 100Mbit/s
  • ClientC PKT service
  • the maximum guaranteed flow is 200Mbit/s
  • three kinds of services are mapped to generate three kinds of OSU frames.
  • the A1 side determines to perform PM layer encryption authentication for the three OSUs respectively.
  • the three OSUPM layers are authenticated and decrypted at the B2 end, and finally the CBR service ClientA, PKT service ClientB and PKT service ClientC are obtained respectively through de-mapping, including the following steps:
  • Step S2 generating OAM security management frame A; Meanwhile, identifying PM is encrypted, identifying Nx authentication and decryption, and decrypting OSU plaintext;
  • Step S3 obtaining the CBR service ClientA
  • Step S5 generate OAM security management frame B
  • Step S6 obtaining the PKT service ClientB
  • Step S7 the PKT service ClientC is 200M, the actual service flow is changed between 40 and 160M, and Nz(16+delta*n) is selected; at the same time, the Nz value is inserted into the overhead and PM encryption is enabled;
  • Step S8 generate OAM security management frame C
  • step S9 the PKT service ClientC is obtained.
  • step 1 at the A1 end, after the service ClientA is mapped to the OSU, the OSU and PB lengths are 192 bytes, and the PB rate is 2.6M.
  • the recommended value of Nx is 64, that is, 64 PBs are occupied in the same service layer OPU.
  • the OAM security management frame bandwidth accounts for 1/Nx of the service bandwidth. Considering the overhead of the OAM bandwidth, the larger the Nx value, the better.
  • the frame length of 192 bytes is sufficient to be a multiple of 128 bits of the encrypted block.
  • the impact of real-time authentication on the OSU frame buffer and delay needs to be as small as possible for Nx. In the case of sufficient bandwidth, bandwidth can be exchanged for delay, that is, Nx is 32. That is, a fixed 32 OSU frame period can be used for encryption and authentication.
  • the maximum guaranteed traffic of the service ClientB is 100Mbit/s, and the actual rate of the OSU is 104Mbit/s.
  • the recommended value of Ny is 40 according to the above-mentioned principles. Ny can be selected as 40 according to the actual bandwidth and the delay requirements of the PKT service.
  • the statistical value varies from 40Mbit/s to 160Mbit/s
  • the actual rate of the OSU is at most 41.6M ⁇ 166.4Mbit/s
  • the recommended range of Nz value is from 16 to 64. Increase or decrease the Nz value by stepping delta according to the change trend of the statistical flow.
  • the real-time value of Nz and the encrypted state of the PM level are carried in the OSU OAM security management frame.
  • Encrypt and authenticate Nz consecutive OSU frames that is, Nz*12 blocks of 128bit blocks, and carry the OSU security frame encapsulation information generated by encryption and authentication in the PM-level security frame encapsulation information of the OSU OAM security management frame.
  • Step 3 After the B2 end recognizes the OSU OAM security management frame of the ClientA OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, and the Nx value and the encryption and authentication of each OSU service are obtained.
  • Security frame encapsulation information and at the same time, it is obtained from the local that the PM level is set to enable the encryption and authentication function, and it is judged that the local end is the decryption end of the PM level, and further judges whether the number of OSU frames between two adjacent OSU OAM security management frames is If it is Nx, use the security frame encapsulation information to authenticate and decrypt the Nx OSU frames to obtain the plaintext decrypted at the OSUPM level, and demap the OSU to obtain the service ClientA, as shown in Figure 14.
  • Figure 14 shows Nx and Ny takes the fixed OSU period, and Nz takes the non-fixed OSU period (1).
  • the B2 side After the B2 side recognizes the OSU OAM security management frame of the ClientB OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Ny value and the security frame encapsulation obtained by the encryption and authentication of each OSU service. At the same time, it is known from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Ny.
  • Figure 15 shows that Nx and Ny are fixed OSU cycle, Nz is not fixed OSU cycle schematic diagram (2).
  • the B2 end After the B2 end recognizes the OSU OAM security management frame of the ClientC OSU service, it obtains from the OSU OAM security management frame that the PM layer source end of the OSU service is encrypted, the Nz value and the security frame encapsulation obtained by the encryption and authentication of each OSU service At the same time, it is learned from the local that the PM level is set to enable the encryption and authentication function at the local end. It is judged that the local end is the decryption end of the PM level, and it is further judged whether the number of OSU frames between two adjacent OSU OAM security management frames is Nz. , if yes, use the security frame encapsulation information to authenticate and decrypt the Nz OSU frames to obtain the plaintext decrypted at the OSUPM level. Demap the OSU to obtain the service ClientC, as shown in Figure 16.
  • Figure 16 is a schematic diagram (3) of Nx and Ny taking a fixed OSU period, and Nz taking a non-fixed OSU period.
  • FIG. 17 is a flowchart of an example of a specific message of an identity authentication process according to an optional embodiment of the present disclosure.
  • the encryption is combined with the identity authentication process.
  • the OTN device A node and the B node at both ends are connected through the OTU2, and the client side of the A node accesses the CBR service ClientA, with a rate of 155.520Mbit/s, generates OSU frames through mapping.
  • node A initiates the identity authentication process.
  • Nodes A and B respectively verify and authenticate the information sent by the peer.
  • All identity authentication messages are encapsulated by GFP and inserted into KCC (Key Exchange Communication Channel, secret key). Exchange communication channel) channel is sent to the peer end, after the identity authentication is completed, the pure encryption process is enabled, as shown in Figure 17, including:
  • KCC Key Exchange Communication Channel, secret key
  • Step S1 request message type I (fixed authentication information and private key information); At the same time, verify the fixed authentication information and local storage;
  • Step S2 response message type I (encrypted private key information and private key information)/response message type II (authentication failure); Meanwhile, verify the converted private key information and the received private key information;
  • Step S3 request message type II (encrypted identity authentication information) or response message type II (authentication failure); At the same time, verify whether the identity authentication information after the local symmetric conversion is consistent with the received information;
  • Step S4 response message type II (authentication success or failure).
  • Step 1 A node encryption entity sends an identity authentication request message type I to node B, carrying fixed authentication information and private key material information of the node, such as a timestamp or a counter generated by the DF algorithm.
  • the fixed authentication information can be selected as the information stored at both ends, such as port number or IP information or even user name after one-way conversion such as algorithm.
  • Step 2 After receiving the identity authentication message type I, the node B first determines whether the fixed authentication information is the intended communication object, and if not, replies with an identity authentication response message type II, which carries the authentication failure information.
  • Step 3 If node B verifies that the users are consistent, it generates the private key material information of this node, such as a random timestamp or counter value, which is obtained according to the information generated by the DF algorithm and the private key material information of node A Temporary Ki (Key Index, key index), and the encrypted information of the private key material information of the node and the private key material information of the node are sent to the A node through the identity authentication response message type I.
  • the private key material information of this node such as a random timestamp or counter value, which is obtained according to the information generated by the DF algorithm and the private key material information of node A Temporary Ki (Key Index, key index)
  • the encrypted information of the private key material information of the node and the private key material information of the node are sent to the A node through the identity authentication response message type I.
  • Step 4 Node A receives the identity authentication response message type I, extracts the private key material information sent by node B, and combines the private key material information of this node to obtain temporary Ki through the DF algorithm.
  • the encrypted information carried is decrypted, and at the same time, it is determined whether the decrypted information is consistent with the private key information of node B carried in the message. If the same is preliminarily believed that node B is legal, node A continues the next authentication process.
  • Step 5 Node A uses the information stored at both ends such as user name and password, and the information converted by some algorithms, optionally such as HASH or HASH combined with XOR algorithm, etc., as the authentication subject information through the identity authentication request information type. II is sent to Node B.
  • Step 6 After receiving the identity authentication request information type II, the node B converts the information stored at the local end using a symmetric algorithm, verifies the authentication subject information, and compares whether the two are consistent. If they are the same, the identity authentication response message type II is returned. , which carries the authentication success information.
  • Step 7 After receiving the authentication success, the A node starts the encryption process, and the SFC information is processed according to the default value.
  • FIG. 18 is a structural diagram of a security management information processing device for an optical transport network according to an embodiment of the present disclosure. As shown in FIG. 18 , the device include:
  • the encryption module 1802 is configured to insert the OSU OAM security management frame every N OSU frames in the optical service unit OSU, and encrypt the N OSU frames;
  • the bearing module 1804 is configured to carry the encrypted security frame header SFH into the OSU OAM security management frame before the N OSU frames.
  • the apparatus further includes:
  • the authentication calculation module is set to perform the integrity calculation required for the authentication on the N OSU frames, and carries the obtained security frame check SFC required for the authentication to the OSU OAM after the N OSU frames in the security management frame.
  • the apparatus further includes:
  • the identity authentication module is set to perform two-way identity authentication with the encryption sink.
  • the apparatus further includes:
  • the determining module is configured to determine the value of N according to the available bandwidth of the OSU security management frame and the encryption processing delay requirements.
  • the encryption module 1802 is further configured to
  • the current encryption level A of the OSU is the encryption level that is first activated among the M encryption levels of the OSU frame, and every N OSU frames are inserted
  • encryption processing is performed on the N OSU frames, the encryption state of the encryption level A in the OAM frame is set as encrypted, and the N value therein is set as a known value.
  • the apparatus further includes:
  • the processing module is set to if the OSU OAM security management frame is detected from the OSU, the current encryption level A of the OSU is not the first encryption level to start in the M encryption levels of the OSU frame,
  • the N OSU frames are encrypted, and the generated security encapsulation information is carried in the overhead corresponding to the encryption level B of the OSU OAM management frame.
  • the apparatus further includes:
  • An acquisition module configured to acquire the encryption state of the encryption source end of the encryption level A and the value of the N from the OSU OAM security management frame, and simultaneously determine to enable the encryption processing of the encryption level B;
  • a setting module is configured to set the encryption state of the encryption level B in the OSU OAM security management frame to an encrypted state.
  • the OSUOAM security management frame includes an overhead corresponding to M encryption levels for storing an encryption state, an overhead for storing N values, and M encryption levels for storing a security frame header SFH and/or Security Frame Check SFC overhead.
  • the bearing module 1804 is further configured as
  • the security frame encapsulation information is carried in the overhead corresponding to the encryption level A in the OSU OAM security management frame, wherein the security frame encapsulation information includes the security frame header SFH and/or the security frame check SFC.
  • the bearing module 1804 is further configured as
  • N and the encrypted state of the current encryption level are carried in the OSU OAM security management frame.
  • FIG. 19 is a structural diagram of a security management information processing device of an optical transport network according to a preferred embodiment of the present disclosure. As shown in FIG. 19 , the device includes:
  • the identification module 1902 is set to identify the OSU OAM security management frame from the OSU received;
  • the decryption module 1904 is configured to decrypt the OSU according to the OSU OAM security management frame.
  • the decryption module 1904 is further configured to: identify the encryption state of the encryption level A from the OSU OAM security management frame; the encryption state of the encryption level A is the encrypted state and is In the case of the decryption end of the encryption level A, the OSU is decrypted according to the OSU OAM security management frame.
  • the decryption module is further configured to: extract the value of N and SFH from the OSU OAM security management frame; determine whether the number of OSU frames in the adjacent OAM frame interval in the OSU frame is is N; if the judgment result is yes, decrypt the N OSU frames according to the SFH to obtain the plaintext OSU.
  • the decryption module is further configured to: if the OSU OAM security management frame also carries the N security frame verification SFCs used for OSU frame authentication, according to the SFC The N OSU frames are authenticated; after the authentication is passed, the N OSU frames are decrypted according to the SFH to obtain the plaintext OSU.
  • the N OSU frames need to be authenticated according to the SFC first, and then the OSU frames need to be decrypted according to the SFH to obtain the plaintext OSU.
  • the apparatus further includes: a first processing module configured to, when the encryption state of the encryption level A is an encrypted state and not the decryption end of the encryption level A, the transparent Pass the OSU.
  • the OSU frame can also be transparently transmitted under the condition that the encrypted state is not the decrypted segment.
  • the apparatus further includes: a first processing module configured to set the encryption state of the encryption level A in the OSU OAM security management frame to unencrypted.
  • Embodiments of the present disclosure also provide a computer-readable storage medium, where a computer program is stored in the computer-readable storage medium, wherein the computer program is configured to execute the steps in any one of the above method embodiments when running.
  • the above-mentioned computer-readable storage medium may include, but is not limited to, a USB flash drive, a read-only memory (Read-Only Memory, referred to as ROM for short), and a random access memory (Random Access Memory, referred to as RAM for short) , mobile hard disk, magnetic disk or CD-ROM and other media that can store computer programs.
  • ROM Read-Only Memory
  • RAM Random Access Memory
  • An embodiment of the present disclosure also provides an electronic device, including a memory and a processor, where a computer program is stored in the memory, and the processor is configured to run the computer program to execute the steps in any one of the above method embodiments.
  • the above-mentioned electronic device may further include a transmission device and an input-output device, wherein the transmission device is connected to the above-mentioned processor, and the input-output device is connected to the above-mentioned processor.
  • modules or steps of the present disclosure can be implemented by a general-purpose computing device, and they can be centralized on a single computing device or distributed in a network composed of multiple computing devices
  • they can be implemented in program code executable by a computing device, so that they can be stored in a storage device and executed by the computing device, and in some cases, can be performed in a different order than shown here.
  • the described steps, or they are respectively made into individual integrated circuit modules, or a plurality of modules or steps in them are made into a single integrated circuit module to realize.
  • the present disclosure is not limited to any particular combination of hardware and software.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

Les modes de réalisation de la présente divulgation concernent un procédé et un appareil de traitement d'informations de gestion de sécurité pour un réseau de transport optique, le procédé consistant : à insérer une trame de gestion de sécurité OSU OAM à un intervalle de toutes les N trames OSU dans une OSU, et à chiffrer les N trames OSU ; à agencer un en-tête de trame sécurisé (SFH) chiffré dans la trame de gestion de sécurité OSU OAM devant les N trames OSU de telle sorte que le problème de sécurité concernant la manière d'assurer une transmission OSU dans des technologies associées peut être résolu ; et à insérer la trame de gestion de sécurité OSU OAM à un intervalle de toutes les N trames OSU, la trame de gestion de sécurité OSU OAM étant utilisée pour transporter des informations d'encapsulation de trame de sécurité (SFH) utilisées par les N trames OSU pour le chiffrement, de telle sorte que la transmission sécurisée des trames OSU est assurée.
PCT/CN2022/073865 2021-01-29 2022-01-25 Procédé et appareil de traitement d'informations de gestion de sécurité pour réseau de transport optique WO2022161369A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN202110130725.2A CN112929355A (zh) 2021-01-29 2021-01-29 一种光传送网的安全管理信息处理方法及装置
CN202110130725.2 2021-01-29

Publications (1)

Publication Number Publication Date
WO2022161369A1 true WO2022161369A1 (fr) 2022-08-04

Family

ID=76168873

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2022/073865 WO2022161369A1 (fr) 2021-01-29 2022-01-25 Procédé et appareil de traitement d'informations de gestion de sécurité pour réseau de transport optique

Country Status (2)

Country Link
CN (1) CN112929355A (fr)
WO (1) WO2022161369A1 (fr)

Families Citing this family (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN112929355A (zh) * 2021-01-29 2021-06-08 中兴通讯股份有限公司 一种光传送网的安全管理信息处理方法及装置
CN115549895A (zh) * 2021-06-29 2022-12-30 深圳市海思半导体有限公司 加密传输方法及装置

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040604A1 (en) * 2005-12-05 2008-02-14 Electronics & Telecommunications Research Institute System and method for providing authenticated encryption in GPON network
CN111490845A (zh) * 2019-01-28 2020-08-04 中兴通讯股份有限公司 一种传递客户业务的方法、装置和系统
CN111713117A (zh) * 2018-02-09 2020-09-25 华为技术有限公司 一种光传送网中业务数据的处理方法及装置
CN111865887A (zh) * 2019-04-30 2020-10-30 华为技术有限公司 光传送网中的数据传输方法及装置
CN112929355A (zh) * 2021-01-29 2021-06-08 中兴通讯股份有限公司 一种光传送网的安全管理信息处理方法及装置

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20080040604A1 (en) * 2005-12-05 2008-02-14 Electronics & Telecommunications Research Institute System and method for providing authenticated encryption in GPON network
CN111713117A (zh) * 2018-02-09 2020-09-25 华为技术有限公司 一种光传送网中业务数据的处理方法及装置
CN111490845A (zh) * 2019-01-28 2020-08-04 中兴通讯股份有限公司 一种传递客户业务的方法、装置和系统
CN111865887A (zh) * 2019-04-30 2020-10-30 华为技术有限公司 光传送网中的数据传输方法及装置
CN112929355A (zh) * 2021-01-29 2021-06-08 中兴通讯股份有限公司 一种光传送网的安全管理信息处理方法及装置

Also Published As

Publication number Publication date
CN112929355A (zh) 2021-06-08

Similar Documents

Publication Publication Date Title
US9571458B1 (en) Anti-replay mechanism for group virtual private networks
US8345875B2 (en) System and method of creating and sending broadcast and multicast data
US7305551B2 (en) Method of transmitting security data in an ethernet passive optical network system
WO2022161369A1 (fr) Procédé et appareil de traitement d'informations de gestion de sécurité pour réseau de transport optique
US7565539B2 (en) Method and apparatus for secure communications
US20200162439A1 (en) End-to-end encryption for personal communication nodes
JP2018170766A (ja) 光ネットワークのための適応性のあるトラフィック暗号化
EP3286896A1 (fr) Dispositif de réseau intermédiaire évolutif exploitant une extension de ticket de session ssl
CN101310473A (zh) 无线网络的空中接口应用层安全
CN108810023A (zh) 安全加密方法、密钥共享方法以及安全加密隔离网关
CN103338185B (zh) 一种文件共享的方法及系统
KR20180130203A (ko) 사물인터넷 디바이스 인증 장치 및 방법
CN112422560A (zh) 基于安全套接层的轻量级变电站安全通信方法及系统
CN115567206A (zh) 采用量子分发密钥实现网络数据报文加解密方法及系统
CN113572766A (zh) 电力数据传输方法和系统
US20210067956A1 (en) Methods and apparatus for end-to-end secure communications
KR100594023B1 (ko) 기가비트 이더넷 수동형 광 가입자망에서의 암호화 방법
CN107431691A (zh) 一种数据包传输方法、装置、节点设备以及系统
CN114826748B (zh) 基于rtp、udp及ip协议的音视频流数据加密方法和装置
CN108111515B (zh) 一种适用于卫星通信的端到端安全通信加密方法
KR101457455B1 (ko) 클라우드 네트워크 환경에서의 데이터 보안 장치 및 방법
CN111866865B (zh) 一种数据传输方法、5g专网建立方法及系统
CN113950802B (zh) 用于执行站点到站点通信的网关设备和方法
CN114039812A (zh) 数据传输通道建立方法、装置、计算机设备和存储介质
KR101886367B1 (ko) 사물 간 통신 네트워크에서의 기기 개별 세션키 생성 및 이를 이용한 기기 간의 암호화 및 복호화 기능 검증 방법

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 22745243

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC (EPO FORM 1205A DATED 12.12.2023)