CN101247220B - Method for cryptographic key exchange of passive optical network system - Google Patents
Method for cryptographic key exchange of passive optical network system Download PDFInfo
- Publication number
- CN101247220B CN101247220B CN2008101020327A CN200810102032A CN101247220B CN 101247220 B CN101247220 B CN 101247220B CN 2008101020327 A CN2008101020327 A CN 2008101020327A CN 200810102032 A CN200810102032 A CN 200810102032A CN 101247220 B CN101247220 B CN 101247220B
- Authority
- CN
- China
- Prior art keywords
- key
- olt
- onu
- cipher key
- message
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Active
Links
Images
Landscapes
- Small-Scale Networks (AREA)
Abstract
The present invention discloses a switching method of passive optical network (PON) system cipher key, which includes the following steps: cipher key is generated according to standard cipher key exchange method executing first cipher key exchange when arriving first cipher key exchange periods, optical line terminal (OLT) sends encrypting random number and cipher key switching time using last time cipher key exchange generating cipher key to optical network unit (ONU) when the new cipher key renewal cycle arrives, after ONU receives the message, ONU transmits affirmation reply message to OLT, then OLT and ONU generate new cipher key at the same time; when OLT receives affirmation reply message from, as well as arriving cipher key switching time, OLT and ONU switch to new cipher key at the same time. Using the invention can reduces cipher key exchange failing risks base on cipher key exchange safety by decreasing number of descending physical layer operations management maintenance (PLOM) interactive message in cipher key exchange process.
Description
Technical field
The present invention relates to EPON (PON) Internet Key Exchange, refer in particular to a kind of method of PON system key exchange.
Background technology
Along with the development of broadband access technology, PON is regarded as a kind of very important broadband access technology, and its sharpest edges are to need not any active device between Local Exchange and user.The PON system is made up of the optical line terminal (OLT) of office's side, the optical network unit (ONU) of user side/Optical Network Terminal (ONT) and Optical Distribution Network (ODN) usually, adopts the network configuration of point to multiple spot usually.Wherein, ODN is made up of Passive Optical Components such as monomode fiber and optical branching device, optical connectors, for the physical connection between OLT and the ONU provides light-transmitting medium.In the PON system, downlink data is broadcast to all ONU on the PON, if malicious user is arranged to the ONU reprogramming, just can hear all downlink datas of all users, and this is that the what is called that runs in the PON safety system " is eavesdropped " threat.
In order to prevent to eavesdrop, at present, in the PON system main adopt ITU-T G.984.3 in the standard encryption method of employed advanced encryption standard (AES) down channel is encrypted, as shown in Figure 1, this encryption method mainly may further comprise the steps:
The secret key request message that step 101, OLT send down physical layer operation management maintain (PLOAM) passage to ONU by broadcasting or clean culture is to ask more new key, and this secret key request message is Request_Key Message;
After step 102, ONU received secret key request message, producing length was the random number (RAND) of 128 bits, and RAND is stored in the backup keys register (shadow_key_register) of ONU;
Step 103, ONU send to OLT by up PLOAM key message with RAND, and this key message is Encryption Key Message;
Here, because the restriction of up PLOAM message size, RAND is divided into two bursts and sends.For guaranteeing the success of message sink, each burst need repeat to send three times, so ONU sends six up PLOAM Encryption Key Message to OLT altogether.
If any one burst three times that OLT fails and receives RAND, OLT will send new Request_Key Message to ONU, requires ONU to produce another one RAND.After key transmitted failure three times, OLT will announce that key synchronization loses, and sends deexcitation (Deactive) message to this ONU.
Step 104, ONU utilize Key=f (RAND) computation key (key), and the key that calculates are stored among the shadow_key_register of ONU according to the RAND that stores in the step 102;
OLT calculates key by Key=f (RAND), and the key that calculates is stored among the shadow_key_register of OLT simultaneously according to the RAND that receives;
Step 105, OLT select any frame number to use first frame of new key to start with, and send the key PLOAM switching time message of carrying this frame number to ONU, and this message is Key_switching_time;
Here, Key_switching_time message will send three times, and ONU only needs to receive correct one of Cyclic Redundancy Check wherein just can know the replacing time.
Step 106, ONU send to OLT and confirm that replying PLOAM message confirms to reply, and it is Acknowledge that PLOAM message is replied in this affirmation.
Here, ONU whenever receives a Key_switching_time message, just sends to OLT and once confirms response, because OLT sends three Key_switching_time message to ONU in the step 105, so will carry out replying for three times herein.
After above operation cipher key change success, OLT and ONU bring into use new key that downlink data is carried out encryption and decryption.
Original position at first frame of bringing into use new key, OLT duplicates the content of shadow_key_register of self this side to operation cipher key register (active_key_register), ONU duplicates the content of shadow_key_register of self this side to active_key_register, guarantees that both sides use new key simultaneously.
In addition, OLT can periodically send secret key request message with property performance period cipher key change to ONU, prevents from effectively to eavesdrop.
This shows, cipher key change of operation in the prior art, OLT and ONU need carry out usually twice mutual, a PLOAM message is arranged in the step 101, six PLOAM message in the step 103, three PLOAM message in the step 105, three PLOAM message in the step 106 are so a key exchange process is used 13 PLOAM message altogether.In the reciprocal process each PLOAM message lose the failure that all may cause cipher key change, therefore, when adopting this method of prior art to carry out cipher key change, the risk of failure is bigger.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of method of PON system key exchange, can guarantee on the basis of cryptographic key exchanging safety, improve the efficient of cipher key change, reduce the risk of cipher key change failure by the number that reduces PLOAM interaction message in the key exchange process.
For achieving the above object, technical scheme of the present invention is achieved in that
A kind of method of passive optical network PON system key exchange, this method may further comprise the steps:
A, the cipher key change cycle first time arrive, key exchange method according to standard carries out cipher key change generation first time key, the new key updating cycle is when arriving, optical line terminal OLT is put into key down physical layer switching time operation management maintain PLOAM message and is sent to optical network unit ONU after utilizing current key to encrypt the switching time first random number that self produced and key;
B, ONU receive the key PLOAM switching time message that OLT sends, and utilize current key to be decrypted and extract described first random number and key after switching time, send to OLT and confirm response message;
C, OLT and ONU all utilize described first random number and current key, carry out computing in an identical manner and generate new key;
D, OLT receive the affirmation response message that ONU sends, and when described key arrived switching time, OLT and ONU switched to new key simultaneously.
Further, described key switching time is that OLT is the determined initial frame number of described new key.
Further, arrival switching time of described key arrives for described initial frame number.
Preferably, the length of described first random number is smaller or equal to 48 bits.
Preferably, described OLT is three times to the number of times that ONU sends key PLOAM switching time message.
Further, described ONU is when PLOAM message that OLT send to confirm to reply, and the number of times of transmission is three times.
Further, the generation method of new key described in the step C is: OLT and ONU generate second random number of this cipher key change all according to current key and described first random number, calculate new key by this second random number.
Preferably, the length of described second random number is 128 bits.
Preferably, described second random number is by carrying out the acquisition of step-by-step XOR with described first random number and described current key.
The method of PON system key exchange of the present invention, utilizing after prior art carries out the cipher key change first time, directly generate random number RA ND by OLT, and adopt the key that generated last time to encrypt to this RAND and selected any frame number, then this RAND and selected any frame number are placed on the disposable ONU of sending in the key PLOAM switching time message, like this, just at every turn during cipher key change, guaranteeing that OLT sends on the basis of the random number of ONU and selected any frame number safety, OLT and ONU only carry out once mutual, the required PLOAM message of each cipher key change reduces to six by 13 of prior art, therefore reduced the time that key exchange process spent, save the resource of system, the most important thing is to improve the efficient of cipher key change, reduced the risk of cipher key change failure; In addition, though the random number that transmits between OLT and ONU is 48 bits, but the random number of using in the actual encrypted process is the RAND ' of 128 bits that calculated by random number RA ND and current key, and uses random number RA ND ' to carry out the computing of cryptographic algorithm.Therefore, the system fail safe of encrypting itself not because mutual random number to reduce to 48 bits following and reduce.
Description of drawings
Fig. 1 is an ITU-T key exchange method schematic flow sheet G.984.3 in the prior art;
Fig. 2 is a PON system key switching method schematic flow sheet of the present invention.
Embodiment
Basic thought of the present invention is: after the cipher key change success for the first time of PON system, random number that OLT generates self and key send to ONU after utilizing switching time key (current key) that last time, cipher key change was generated to encrypt simultaneously, OLT and ONU generate new round encrypted secret key according to this random number and current key simultaneously then, and are specifying handover key constantly simultaneously.
Below in conjunction with accompanying drawing concrete enforcement of the present invention is described in further detail.
When for the first time the key updating cycle arrives, the PON system at first according to ITU-T in the prior art G.984.3 key exchange method carry out the cipher key change first time;
Here; the PON system generally according to ITU-T of the prior art G.984.3 key exchange method carry out the cipher key change first time; why to carry out the cipher key change first time according to prior art; be because random number RA ND sends to OLT by ONU in the prior art; if primary RAND is on the basis without any cryptographic key protection; directly send to ONU by OLT; then all ONU all can obtain this RAND; this RAND just may be by malicious modification, herein just in order to prevent that RAND is by malicious modification or destruction.And why following step can send to ONU by OLT with RAND, is that promptly current key is protected, and has ensured the safety of RAND because the key that this cipher key change generated has adopted the key that generated last time.
PON system key switching method flow process of the present invention as shown in Figure 2, this method may further comprise the steps:
Step 201, new key updating cycle are when arriving, OLT generates the random number RA ND smaller or equal to 48 bits, and put into key PLOAM switching time message after utilizing current key to encrypt this RAND and the optional frame number, key PLOAM switching time message is sent to ONU to ask more new key;
Here, OLT selects any one frame number to use first frame of new key to start with, the initial frame number of new key and the RAND of generation are put into key PLOAM switching time message, promptly put into Key_Switching_Time message, here, selected frame number is actual represents key switching time, and it is that key arrives switching time that the new key initial frame number arrives.Key PLOAM switching time message need repeat to send three times, to guarantee that ONU can correctly receive.In addition, in order to guarantee the fail safe of key exchange process, the initial frame number of new key and random number RA ND field have adopted current key to encrypt.The message format of key PLOAM switching time message as shown in Table 1.
In addition, do not need burst herein, because can be placed on reserved field transmission in the existing Key_Switching_Time_message message smaller or equal to the field of 48 bits.
| Byte number | Content | Describe |
| 1 | ONU-ID or 11111111 | To the message of the ONU of assigned I D correspondence transmission or the message of all ONU transmission.When the message of all ONU broadcasting, ONU-ID=0xFF |
| 2 | 00010101 | Show that type of message is " Key_Switching " |
| 3 | FrameCounter1 | 6 highest significant positions of the multi-frame counter of 30 bits, this counter is from using first frame statistics of new key |
| 4 | FrameCounter2 | |
| 5 | FrameCounter3 | |
| 6 | FrameCounter4 | 8 least significant bits of the multi-frame counter of 30 bits are from using first frame statistics of new key |
| 7-12 | RAND | Random number RA ND |
Table one
After step 202, ONU receive key PLOAM switching time message, utilize current key to be decrypted and extract wherein key switching time and RAND, and send and confirm to reply PLOAM message to OLT.
Here, the acknowledge message form as shown in Table 2.
| Byte number | Content | Describe |
| 1 | ONU-ID | The ONU of this message is initiated in indication |
| 2 | 00001001 | Show that type of message is " Acknowledge " |
| 3 | DM_ID | The message identifier of downstream message |
| 4 | DMBYTE1 | The 1st byte of downstream message |
| 5 | DMBYTE2 | The 2nd byte of downstream message |
| 6 | DMBYTE3 | The 3rd byte of downstream message |
| 7 | DMBYTE4 | The 4th byte of downstream message |
| 8 | DMBYTE5 | The 5th byte of downstream message |
| 9 | DMBYTE6 | The 6th byte of downstream message |
| 10 | DMBYTE7 | The 7th byte of downstream message |
| 11 | DMBYTE8 | The 8th byte of downstream message |
| 12 | DMBYTE9 | The 9th byte of downstream message |
Table two
ONU receives that whenever one of Key_Switching_Time message loopback confirms response, so ONU sends three affirmations altogether to OLT and replys PLOAM message here.
Step 203, OLT and ONU are according to current key current_key and RAND that last time, cipher key change was generated, by RAND '=G (RAND, current_key) generate the RAND ' of 128 bits, the key generation method Key=f (RAND ') that G.984.3 stipulates in the standard by ITUT calculates new key Key again.
Here, OLT is identical with the method that ONU generates new key, and the formula of concrete calculating K ey is common in advance definite by OLT and ONU.
In addition, the account form of calculating RAND ' is to adopt random number RA ND that current_key is carried out the step-by-step XOR.At first current_key is carried out segmentation according to random number RA ND length, all use random number RA ND to carry out the step-by-step xor operation for every section then, the result with the segmentation XOR connects the RAND ' that generates 128 bit lengths at last.G.984.3 the key generation method Key=f (RAND ') that stipulates in the standard by ITUT calculates new key Key.
Step 204, OLT receive that the affirmation that ONU sends replys PLOAM message, and when key arrives switching time, switch to new key simultaneously.
, as long as OLT receives the affirmation response message that an ONU sends, then think cipher key change success here, when key arrived switching time, promptly OLT and ONU switched to new key simultaneously when the new key initial frame number arrives.Otherwise, the failure of OLT declaration cipher key change.
Arrive this, a key exchange process of the present invention finishes, and later on each cipher key change cycle, the PON system all adopted above-mentioned steps 201~step 204 to finish cipher key change when arriving.
This shows, the method of cipher key change in the PON provided by the invention system, compare with existing method, OLT and ONU only carry out once mutual, and the required PLOAM message of each cipher key change reduces to six by 13 of prior art, so just improve the efficient of cipher key change, reduced the risk of cipher key change failure.In addition, though the random number that transmits between OLT and ONU is 48 bits, but the random number of using in the actual encrypted process is the RAND ' of 128 bits that calculated by random number RA ND and current key, and uses random number RA ND ' to carry out the computing of cryptographic algorithm.Therefore, the system fail safe of encrypting itself not because mutual random number to reduce to 48 bits following and reduce.
The above is preferred embodiment of the present invention only, is not to be used to limit protection scope of the present invention.
Claims (9)
1. the method for passive optical network PON system key exchange is characterized in that this method may further comprise the steps:
A, the cipher key change cycle first time arrive, key exchange method according to standard carries out cipher key change generation first time key, the new key updating cycle is when arriving, optical line terminal OLT is put into key down physical layer switching time operation management maintain PLOAM message and is sent to optical network unit ONU after utilizing current key to encrypt the switching time first random number that self produced and key;
B, ONU receive the key PLOAM switching time message that OLT sends, and utilize current key to be decrypted and extract described first random number and key after switching time, send to OLT and confirm response message;
C, OLT and ONU all utilize described first random number and current key, carry out computing in an identical manner and generate new key;
D, OLT receive the affirmation response message that ONU sends, and when described key arrived switching time, OLT and ONU switched to new key simultaneously.
2. method according to claim 1 is characterized in that, described key switching time is that OLT is the determined initial frame number of described new key.
3. method according to claim 2 is characterized in that, arrival switching time of described key arrives for described initial frame number.
4. method according to claim 1 is characterized in that, the length of described first random number is smaller or equal to 48 bits.
5. method according to claim 1 is characterized in that, described OLT is three times to the number of times that ONU sends key PLOAM switching time message.
6. method according to claim 5 is characterized in that, described ONU is when PLOAM message that OLT send to confirm to reply, and the number of times of transmission is three times.
7. method according to claim 1, it is characterized in that, the generation method of new key described in the step C is: OLT and ONU generate second random number of this cipher key change all according to current key and described first random number, calculate new key by this second random number.
8. method according to claim 7 is characterized in that, the length of described second random number is 128 bits.
9. according to claim 7 or 8 described methods, it is characterized in that described second random number is by carrying out the acquisition of step-by-step XOR with described first random number and described current key.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101020327A CN101247220B (en) | 2008-03-14 | 2008-03-14 | Method for cryptographic key exchange of passive optical network system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008101020327A CN101247220B (en) | 2008-03-14 | 2008-03-14 | Method for cryptographic key exchange of passive optical network system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101247220A CN101247220A (en) | 2008-08-20 |
| CN101247220B true CN101247220B (en) | 2011-03-02 |
Family
ID=39947454
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008101020327A Active CN101247220B (en) | 2008-03-14 | 2008-03-14 | Method for cryptographic key exchange of passive optical network system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101247220B (en) |
Families Citing this family (7)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US8850197B2 (en) | 2009-07-31 | 2014-09-30 | Futurewei Technologies, Inc. | Optical network terminal management control interface-based passive optical network security enhancement |
| WO2011017847A1 (en) * | 2009-08-14 | 2011-02-17 | 华为技术有限公司 | Method and device for exchanging key |
| CN102256187B (en) * | 2010-05-21 | 2014-04-09 | 中兴通讯股份有限公司 | Method, device and optical fiber terminal for sending PLOAM (Physical Layer Operation Administration and Maintenance) message |
| CN103166758A (en) * | 2011-12-19 | 2013-06-19 | 中兴通讯股份有限公司 | Method and system for gigabit-capable passive optical network (GPON) uplink advanced encryption standard (AES) encryption key updating |
| CN106301768B (en) * | 2015-05-18 | 2020-04-28 | 中兴通讯股份有限公司 | Method, device and system for updating key based on optical transport network OTN |
| JP7157156B2 (en) * | 2018-07-20 | 2022-10-19 | オリンパス株式会社 | Wireless communication device, wireless communication system, wireless communication method and program |
| CN113973000A (en) * | 2020-07-25 | 2022-01-25 | 华为技术有限公司 | Method and device for processing pre-shared key PSK |
-
2008
- 2008-03-14 CN CN2008101020327A patent/CN101247220B/en active Active
Also Published As
| Publication number | Publication date |
|---|---|
| CN101247220A (en) | 2008-08-20 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101247220B (en) | Method for cryptographic key exchange of passive optical network system | |
| US8442229B2 (en) | Method and apparatus for providing security in a passive optical network | |
| CN100596060C (en) | A method, system and device for preventing optical network unit in passive optical network from being counterfeiting | |
| CN101197663B (en) | Protection method for Gigabit passive optical network encryption service | |
| CN101102152B (en) | Method for guaranteeing data security in passive optical network | |
| CN113114460B (en) | Quantum encryption-based power distribution network information secure transmission method | |
| CN101998193B (en) | The cryptographic key protection method of EPON and system | |
| CN101677414A (en) | Method, system and device for leading user side terminal to obtain password | |
| Jiang et al. | Robust group key management with revocation and collusion resistance for SCADA in smart grid | |
| CN103023579A (en) | Method for conducting quantum secret key distribution on passive optical network and passive optical network | |
| CN101183934A (en) | Cipher key updating method in passive optical network | |
| CN203251308U (en) | Passive optical network | |
| CN102611557A (en) | Safe network coding data transmission method based on knapsack cryptosystem | |
| CN102239661A (en) | Method and device for exchanging key | |
| CN101778311A (en) | Distribution method of optical network unit marks and optical line terminal | |
| CN102035642B (en) | Selection and synchronization method for counter in block cipher counter running mode | |
| KR100594023B1 (en) | Method of encryption for gigabit ethernet passive optical network | |
| CN101388765B (en) | Ciphering mode switching method for G bit passive optical fiber network system | |
| CN101998180B (en) | Method and system for supporting version compatibility between optical line terminal and optical network unit | |
| CN101388806B (en) | Cipher consistency detection method and apparatus | |
| EP2151946B1 (en) | A method for detecting the key of the gigabit passive optical network | |
| CN101072094B (en) | Key agreement method and system for PON system | |
| JP2004260556A (en) | Station-side apparatus, subscriber-side apparatus, communication system, and encryption key notifying method | |
| CN102237999B (en) | Message treatment method and message dispensing device | |
| CN103516515A (en) | Encryption/decryption seamless switch achieving method, OLT and ONU in GPON system |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant |