WO2017092465A1 - Procédé de cryptage de paquet de diffusion, olt, onu, et support de stockage informatique - Google Patents

Procédé de cryptage de paquet de diffusion, olt, onu, et support de stockage informatique Download PDF

Info

Publication number
WO2017092465A1
WO2017092465A1 PCT/CN2016/098281 CN2016098281W WO2017092465A1 WO 2017092465 A1 WO2017092465 A1 WO 2017092465A1 CN 2016098281 W CN2016098281 W CN 2016098281W WO 2017092465 A1 WO2017092465 A1 WO 2017092465A1
Authority
WO
WIPO (PCT)
Prior art keywords
broadcast
key
message
olt
encryption
Prior art date
Application number
PCT/CN2016/098281
Other languages
English (en)
Chinese (zh)
Inventor
张剑英
Original Assignee
深圳市中兴微电子技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 深圳市中兴微电子技术有限公司 filed Critical 深圳市中兴微电子技术有限公司
Publication of WO2017092465A1 publication Critical patent/WO2017092465A1/fr

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/40Network security protocols
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/06Network architectures or network communication protocols for network security for supporting key management in a packet data network
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/06Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols the encryption apparatus using shift registers or memories for block-wise or stream coding, e.g. DES systems or RC4; Hash functions; Pseudorandom sequence generators
    • H04L9/0618Block ciphers, i.e. encrypting groups of characters of a plain text message using fixed encryption transformation
    • H04L9/0631Substitution permutation network [SPN], i.e. cipher composed of a number of stages or rounds each involving linear and nonlinear transformations, e.g. AES algorithms
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0891Revocation or update of secret information, e.g. encryption key update or rekeying
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2209/00Additional information or applications relating to cryptographic mechanisms or cryptographic arrangements for secret or secure communication H04L9/00
    • H04L2209/60Digital content management, e.g. content distribution
    • H04L2209/601Broadcast encryption

Definitions

  • the present invention relates to the field of optical communications, and in particular, to a broadcast message encryption method, an OLT, an ONU, and a computer storage medium.
  • an Ethernet Passive Optical Network includes an Optical Line Terminal (OLT), an Optical Distribution Network (ODN), and an Optical Network Unit. (Optical Network Unit, ONU for short).
  • OLT Optical Line Terminal
  • ODN Optical Distribution Network
  • ONU Optical Network Unit
  • the optical signal transmission between the OLT and the ONU is possible; and the transmission channel from the OLT to the ONU is called the downlink channel, and the transmitted data is the downlink data.
  • the ODN is used in the OLT and the ONU. Provide light channels between.
  • an optical line terminal can be connected to a plurality of optical network units through a splitter. If the downlink data transmitted by the OLT to the ONU is not encrypted, the ONU may overhear other ONU information. In order to avoid this situation, the downlink data must be encrypted to prevent leakage of information between the ONUs.
  • the embodiments of the present invention are expected to provide a broadcast message encryption method, an OLT, an ONU, and a computer storage medium, which can at least partially solve the problem of information leakage.
  • a first aspect of the embodiments of the present invention provides a method for encrypting a broadcast message, where the method includes:
  • the optical line terminal OLT determines the designated broadcast message to be encrypted
  • the method further includes:
  • the OLT negotiates an encryption key with the ONU to determine an encryption key and a key index
  • the key index is used by the ONU to determine the encryption key.
  • the OLT negotiates an encryption key with the ONU to determine an encryption key and a key index, including:
  • the OLT negotiates an encryption key with the ONU to determine an encryption key and a key index, and further includes:
  • the key request message is resent.
  • the optical line terminal OLT determines the specified broadcast message to be encrypted, including:
  • the method further includes:
  • the specified broadcast message is encrypted to form a broadcast encrypted message.
  • a second aspect of the embodiments of the present invention provides a method for encrypting a broadcast message, where the method includes:
  • the ONU negotiates an encryption key with the OLT to determine an encryption key and a key index
  • the encryption key and the key index are used by the OLT to encrypt a broadcast message and the ONU decrypt the broadcast encrypted message formed by the OLT encryption.
  • the method further includes:
  • a third aspect of the embodiments of the present invention provides an optical line terminal OLT, where the OLT includes:
  • a first determining unit configured to determine a specified broadcast message to be encrypted
  • Forming a unit configured to encrypt the specified broadcast packet to form a broadcast encrypted packet
  • the first sending unit is configured to send the broadcast encrypted message to the optical network unit ONU.
  • the OLT further includes:
  • the first negotiation unit is configured to negotiate an encryption key between the OLT and the ONU, and determine an encryption key and a key index;
  • the forming unit is configured to encrypt the to-be-encrypted portion of the specified broadcast message by using the encryption key, and carry the key index in a plaintext portion of the specified broadcast message to form the broadcast Encrypted message;
  • the key index is used by the ONU to determine the encryption key.
  • the first sending unit is further configured to send a key request message to the ONU that receives the broadcast encrypted message; after the key request message is sent, start the first timing;
  • the OLT further includes:
  • the first receiving unit is configured to receive, according to the timing of the first timing, a response message that is returned by the ONU based on the key request message;
  • the first negotiating unit is configured to extract the encryption key from the response message.
  • the first sending unit is further configured to resend the key request message if the response message has not been received or the encryption key is not extracted after the first timing timeout.
  • the first determining unit is configured to parse the preamble and the opcode opcode field of the packet to obtain parsing information; and determine, according to the parsing information, whether the packet is a specified packet to be encrypted.
  • the OLT further includes:
  • a detecting unit configured to detect a broadcast encryption enable switch
  • the forming unit is configured to encrypt the specified broadcast message to form a broadcast encrypted message if the broadcast encryption enable switch is enabled.
  • a fourth aspect of the embodiments of the present invention provides an optical network unit ONU, where the ONU includes:
  • a second negotiating unit configured to negotiate an encryption key with the OLT, and determine an encryption key and a key index
  • a storage unit configured to store the encryption key and a key index
  • the encryption key and the key index are used by the OLT to encrypt a broadcast message and the ONU decrypt the broadcast encrypted message formed by the OLT encryption.
  • the ONU further includes:
  • a second receiving unit configured to receive the broadcast encrypted message sent by the OLT
  • a parsing unit configured to parse the plaintext portion of the broadcast encrypted packet to determine a key index
  • a query unit configured to query an encryption key according to the key index
  • a decryption unit configured to decrypt the ciphertext portion of the broadcast encrypted message based on the encryption key.
  • the embodiment of the invention further discloses a computer storage medium, wherein the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute at least one of the broadcast message encryption methods.
  • the broadcast message encryption method, the OLT, the ONU, and the computer storage medium provided by the embodiment of the present invention determine the specified broadcast message to be encrypted, and then encrypt the broadcast message to form a broadcast encrypted message, and the OLT sends the broadcast to the ONU.
  • the message is encrypted, which reduces the theft and information leakage caused by the plaintext transmission during the transmission of the broadcast message. By encrypting the broadcast message, the difficulty of information leakage is increased, and the information security is improved.
  • FIG. 1 is a schematic structural view of an EPON system
  • FIG. 2 is a schematic flowchart of a method for encrypting a first broadcast packet according to an embodiment of the present invention
  • FIG. 3 is a schematic flowchart of a method for encrypting a second broadcast packet according to an embodiment of the present disclosure
  • FIG. 4 is a schematic flowchart of a third method for encrypting a broadcast packet according to an embodiment of the present invention.
  • FIG. 5 is a schematic flowchart of a method for encrypting a fourth broadcast packet according to an embodiment of the present disclosure
  • FIG. 6 is a schematic structural diagram of an OLT according to an embodiment of the present disclosure.
  • FIG. 7 is a schematic structural diagram of an ONU according to an embodiment of the present disclosure.
  • FIG. 8 is a schematic structural diagram of a part of a packet according to an embodiment of the present disclosure.
  • FIG. 9 is a schematic flowchart of AES encryption according to an embodiment of the present invention.
  • FIG. 10 is a schematic diagram of comparison of data frames before and after encryption using triple-stirring according to an embodiment of the present invention.
  • FIG. 11 is a flowchart showing an encryption key negotiation process in a triple agitation encryption process according to an embodiment of the present invention. intention.
  • the present embodiment provides a method for encrypting a broadcast message, encrypting a specified broadcast message to be encrypted, and improving information security.
  • Embodiment 1 is a diagrammatic representation of Embodiment 1:
  • this embodiment provides a method for encrypting a broadcast message, where the method includes:
  • Step S110 The optical line terminal OLT determines a designated broadcast message to be encrypted.
  • Step S120 Encrypt the specified broadcast packet to form a broadcast encrypted packet.
  • Step S130 Send the broadcast encrypted message to the optical network unit ONU.
  • the OLT before the OLT sends the downlink data, if the downlink data sent is a broadcast packet, it is determined whether it is a specified broadcast packet that needs to be encrypted.
  • the specified broadcast message here can be a broadcast message of a specified type. Specifically, the broadcast message may be classified into a registered broadcast message and a non-registered broadcast message; and the specified broadcast message may be a non-registered broadcast message.
  • the OLT receives an indication instruction, which is to encrypt a certain broadcast message, and the broadcast message specified to be encrypted is the designated broadcast message.
  • the body part of the broadcast message may be parsed, and the corresponding broadcast message is determined to be the specified broadcast message according to the security requirement of the content of the body part.
  • step S120 the specified broadcast message is encrypted to form a broadcast encrypted message.
  • the content of the broadcast message cannot be obtained or the broadcast message is stolen without the key.
  • the difficulty of the content increases.
  • Broadcasting the message in step S120 Encryption can include all encryption or partial encryption.
  • the partial encryption here may be only encrypting part of the content of the broadcast message, for example, not encrypting the header of the broadcast message, but only encrypting the body of the broadcast message.
  • the all encryption is to encrypt the entire broadcast message.
  • the broadcast encrypted packet formed by the encryption is sent to the ONU, and the transmission can be sent to the ONU through the ODN.
  • the broadcast packet encryption method in this embodiment not only improves the security of information transmission between the OLT and the ONU, but also reduces information leakage, and has the characteristics of being simple and convenient to implement.
  • the method further includes:
  • Step S101 The OLT negotiates an encryption key with the ONU to determine an encryption key and a key index.
  • the step S120 may include: encrypting, by using the encryption key, the to-be-encrypted part of the specified broadcast message, and carrying the key index in a plaintext part of the specified broadcast message to form the broadcast. Encrypting a message; wherein the key index is used by the ONU to determine the encryption key.
  • the OLT performs an encryption key negotiation with the ONU that needs to receive the broadcast message.
  • the OLT and the corresponding ONU determine the encryption key, so that the subsequent ONU can decrypt the broadcast encrypted message.
  • an cryptographic key may be determined by the OLT and sent to the ONU, or the ONU may determine an encryption key and send it to the OLT.
  • the encryption key is generally determined by the ONU and sent to the OLT through the uplink optical channel.
  • a key index is further determined. After the ONU receives the broadcast encrypted message, the ONU extracts the plaintext portion of the broadcast encrypted message to determine the encryption key.
  • the key index here may also be determined by the ONU, or may be determined by the OLT. In this embodiment, it is preferable that the key index is determined by a party forming the encryption key.
  • the plaintext part of the key index in the embodiment may be included in the packet header in the packet.
  • Preamble the key index may be represented by a portion of the 5th byte of the preamble; specifically, the last 2 bits of the 5th byte are used to represent the key index.
  • the OLT performs the negotiation of the encryption key with the ONU in advance, thereby determining the encryption key and the key index, so as to facilitate the decryption of the subsequent broadcast encrypted message.
  • the OLT and the ONU may set multiple encryption keys in advance, and only need to negotiate the key index corresponding to the encryption key when performing negotiation.
  • the encryption key is dynamically generated for one end of the OLT and the ONU, and is not selected from a plurality of preset keys.
  • step S101 may include:
  • the key request message may correspond to a key request frame, for example, the OLT sends a key request frame to the ONU that receives the corresponding broadcast message, and the ONU receives the key request frame. A key notification frame carrying the encryption key is then restored as the response message. In this way, the OLT can extract an encryption key for encrypting the broadcast message from the response message.
  • the response message further includes a key index, where the key index may be a serial number of the key or the like.
  • the OLT after the OLT sends the key request message, it starts a timer to count or starts a counter to count, and if the OLT receives the response message within the first time, indicating The negotiation is successful; this limits the invalidity of the key negotiation, and avoids the security problem of the encryption key caused by neglecting the timeliness in the key negotiation process.
  • the step S101 further includes: if the first timing timeout has not received the response message or the encryption key is not extracted, and the response message has not been received, resending the key Request message. If the current OLT has data to be sent, in the embodiment, the OLT may resend the key request message when the first timing expires or the encryption key is not extracted, so as to re-key negotiation to ensure broadcast. The normal transmission of the message.
  • the current ONU may be faulty. Even if the key request message is continued to be sent, the OLT load is too large.
  • the specified number of times may be specified in this embodiment. If the number of times exceeds the specified number of times, the key request message is stopped or the key negotiation request message is sent after the specified length of time is stopped, or the prompt information such as the key negotiation failure is output.
  • the step S110 may include:
  • Step S111 Parsing a preamble of the message and an opcode field of the operation code to obtain parsing information
  • Step S112 Determine, according to the parsing information, whether the packet is a specified packet to be encrypted.
  • the step S111 may include: parsing a preamble of the broadcast message, extracting a mode bit and a logical link identifier in the preamble; and determining, according to the mode bit and/or the logical link identifier, whether the packet is Broadcast message.
  • the packets can be classified into broadcast packets, unicast packets, and multicast packets.
  • the message can be further divided into a packet header and a body part, and the message includes a preamble, a destination address (DA), a source address (Source) address, and a type field.
  • Two logical link identification (LLID) fields are included in the preamble.
  • each LLID includes 8 bits; thus, the two LLID fields have a total of 16 bits, the most significant bits of the 16 bits are the mode bits, and the last 15 bits are the logical link identifiers used to record the broadcast message. In the normal case, if the mode bit is 1, it indicates that the message is a broadcast message. If the last 15 bits are all 1, the message is a broadcast message.
  • Step S112 is to parse the content in the opcode field to determine whether the broadcast packet is A registration message that cannot be encrypted. For example, when the content of the opcode field is 02, 04, 05, and 06, the broadcast message is usually a registration message, where 02, 04, 05, and 06 are hexadecimal numbers. Therefore, if the content of the opcode field is not hexadecimal 02, 04, 05, and 06 in step S112, the broadcast message can be used as the specified broadcast message to be encrypted.
  • broadcast packets are not encrypted. In some special scenarios, such as performing broadcast packet transmission and reception tests on certain ONUs, it may only be necessary to send broadcast packets to specific broadcasts. ONU.
  • the method further includes: detecting a broadcast encryption enable switch in the embodiment; the step S120 includes: if the broadcast encryption enable switch is in the If the status is enabled, the specified broadcast packet is encrypted to form a broadcast encrypted packet.
  • an encryption enable switch can be configured for the OLT in advance. If the broadcast packet to be encrypted needs to be sent, the broadcast encryption enable switch is enabled, and the OLT is triggered. The above steps S110 to S130 are performed.
  • the default state of the broadcast encryption enable switch is a non-enabled state. In the non-enabled state, the OLT does not perform encryption processing on the broadcast message.
  • the first type: Advanced Encryption Standard (AES) encryption is performed on the specified packet.
  • AES encryption is an encryption method based on the block encryption standard.
  • the encrypted portion of the specified broadcast message that needs to be encrypted may be divided into a plurality of blocks, for example, the continuously distributed 128-bit data in the encrypted portion. Divided into one block, each block is encrypted using an encryption key of length 128 bits.
  • the specified broadcast message is agitated and encrypted using the agitation key, for example, the specified broadcast message is triple-aguttered and encrypted using the agitation key.
  • Stirring encryption is to use the agitation key to scramble the content that needs to be encrypted, so that the information after the agitation is encrypted is out of order, so that there is no agitation. Even if the key's ONU steals the message, it will consider it a meaningless garbled message.
  • triple-stirring may be used to perform at least three times of agitation encryption on the specified broadcast message.
  • the embodiment provides a method for encrypting broadcast packets, which can encrypt some broadcast packets that need to be encrypted, improve information security of broadcast packets, and reduce information leakage.
  • Embodiment 2 is a diagrammatic representation of Embodiment 1:
  • this embodiment provides a method for encrypting a broadcast message, where the method includes:
  • Step S210 The ONU negotiates an encryption key with the OLT to determine an encryption key and a key index.
  • Step S220 storing the encryption key and a key index
  • the encryption key and the key index are used by the OLT to encrypt a broadcast message and the ONU decrypt the broadcast encrypted message formed by the OLT encryption.
  • the broadcast packet encryption method in this embodiment is applied to the ONU.
  • the OLN negotiates with the OLT for the encryption key of the broadcast packet encryption to determine the encryption key and the key index.
  • the encryption key and the key index are stored in step S220, so that when the broadcast encrypted message is received subsequently, the encryption key can be found by using the key index, and the encryption key is used to decrypt the The broadcast encrypted message; this can reduce the phenomenon that broadcast messages are stolen by other unrelated ONUs.
  • step S220 in this embodiment may occur before the step S210.
  • the ONU pre-stores a plurality of encryption keys and a key index corresponding to the encryption key.
  • the The ONU picks a set from the pre-stored encryption key and key index as an encryption key and a key index for the current broadcast message exchange with the OLT. Therefore, the execution sequence of step S210 and step S220 in this embodiment may be as shown in FIG. 4, or may be before step S220, and step S210 is followed.
  • the method further includes:
  • Step S230 Receive a broadcast encrypted message sent by the OLT.
  • Step S240 Parsing the plaintext part of the broadcast encrypted message, and determining a key index
  • Step S250 Query an encryption key according to the key index
  • Step S260 Decrypt the ciphertext part of the broadcast encrypted message based on the encryption key.
  • the ONU receives the broadcast encrypted packet and parses the plaintext portion of the broadcast encrypted packet, where the plaintext portion may include a preamble.
  • the key index is obtained by parsing the field of the key index, and the key index is obtained, and the corresponding encryption key is searched by using the key index, and finally the step S260 is used to decode the broadcast encrypted message by using the encryption key.
  • the ciphertext part has the characteristics of easy implementation. It should be noted that if the encryption mode of the broadcast encrypted message is symmetric encryption in step S260, the encryption key is also a decryption key, and the broadcast encrypted message can be directly decoded by using the encryption key. .
  • the encryption mode of the broadcast encrypted message is asymmetric encryption
  • the encryption key corresponds to a decryption key
  • the decryption key needs to be determined according to the encryption key, and the decryption key is used to secretify the message. Broadcast encrypted messages.
  • Embodiment 3 is a diagrammatic representation of Embodiment 3
  • an embodiment of the present invention provides an optical line terminal OLT, where the OLT includes:
  • the first determining unit 110 is configured to determine a specified broadcast message to be encrypted.
  • the forming unit 120 is configured to encrypt the specified broadcast message to form a broadcast encrypted message.
  • the first sending unit 130 is configured to send the broadcast encrypted message to the optical network unit ONU.
  • the embodiment provides an OLT, and the OLT includes the first determining unit 110, the forming unit 120, and the first sending unit 130.
  • the first determining unit 110 and the forming unit 120 may each correspond to a processor or processing circuit in the OLT, and the processor may include a central processing unit, an application processor, a microprocessor, and a digital signal processor. Or a programmable array.
  • the processor or processing circuit implements the functions of the first determining unit 110 and the forming unit 120 by executing a designated code.
  • the first sending unit 130 corresponds to an optical sending interface of the OLT, for example, corresponding to The downlink sending interface that the OLT sends a signal to the ONU can be used to send the encrypted message to the OUN.
  • the OLT encrypts the broadcast packet that needs to be encrypted, and prevents other ONUs that do not need to receive the broadcast packet from leaking the information content of the broadcast packet, thereby improving the security of the information.
  • the OLT further includes: a first negotiating unit configured to negotiate an encryption key with the ONU to determine an encryption key and a key index; and the forming unit 120 is configured to use the encryption key pair
  • the part to be encrypted of the specified broadcast message is encrypted, and the key index is carried in the plaintext part of the specified broadcast message to form the broadcast encrypted message; wherein the key index is used for the
  • the ONU determines the encryption key.
  • the first negotiating unit may correspond to a communication interface or a processor, and may determine the encryption key and the key index by performing operations such as multiple information interaction and information parsing extraction with OUN.
  • the encryption key can be easily negotiated by the setting of the first negotiation unit, so that the ONU can be subsequently decrypted by the ONU.
  • the first sending unit 130 is further configured to send a key request message to the ONU that receives the broadcast encrypted message; after sending the key request message, start the first timing;
  • the OLT further includes:
  • the first receiving unit is configured to receive, according to the timing of the first timing, a response message that is returned by the ONU based on the key request message;
  • the first negotiating unit is configured to extract the encryption key from the response message.
  • the first receiving unit may include a downlink receiving interface of the OLT, and is configured to receive the response message from the ONU.
  • the first timing is also set to avoid various information security problems caused by excessive negotiation time.
  • the information security problem herein may include that the encryption key is leaked.
  • the first sending unit 130 is further configured to time out if the first timing The key request message is resent if the response message has not been received or the encryption key has not been extracted. In this embodiment, of course, in order to ensure the smooth transmission of the broadcast message, if at least one of the above three cases occurs, the key request message will be resent. In a specific implementation, the first sending unit 130 sends the key request message to the same ONU until the specified number of times is reached, or stops after a period of time, or sends a negotiation failure warning to the upper device. Information, etc.
  • the first determining unit 110 is configured to parse a preamble of the message and an opcode field to obtain parsing information; and determine, according to the parsing information, whether the packet is a specified packet to be encrypted.
  • the preamble includes information such as the mode bit and the logical link identifier mentioned in the foregoing embodiment, and the preamble can be used to determine whether the packet that needs to be sent is a broadcast packet, and the content of the opcode field can be determined according to the content of the opcode field.
  • Whether the specified broadcast message to be encrypted has the characteristics of simple structure and simple implementation.
  • the OLT further includes:
  • a detecting unit configured to detect a broadcast encryption enable switch
  • the forming unit 120 is configured to encrypt the specified broadcast message to form a broadcast encrypted message if the broadcast encryption enable switch is in an enabled state.
  • the detecting unit may correspond to a processor or a processing circuit, and may detect whether a field indicating the broadcast encryption enable in the OLT is set to a specified value corresponding to the enabled state.
  • the state of the broadcast encryption enable switch is determined.
  • the detection of the state of the broadcast encryption enable switch by the detection unit can be well compatible with the prior art by the setting of the detection unit. In the default state, the broadcast encryption enable switch is normally disabled. Avoid affecting the transmission of most broadcast messages that do not require encryption.
  • Embodiment 4 is a diagrammatic representation of Embodiment 4:
  • the embodiment provides an optical network unit ONU, where the ONU includes:
  • the second negotiating unit 210 is configured to negotiate an encryption key with the OLT, and determine an encryption key and a key index.
  • the storage unit 220 is configured to store the encryption key and a key index
  • the encryption key and the key index are used by the OLT to encrypt a broadcast message and the ONU decrypt the broadcast encrypted message formed by the OLT encryption.
  • the second negotiating unit 210 in this embodiment may correspond to an optical communication interface, a processor, a processing circuit, or the like in the ONU, and perform information interaction with the OLT by using an optical communication interface, and determine a key index and a key through information interaction. index. For example, at least one of the determined encryption key and the key index is transmitted to the OLT using the optical communication interface.
  • the ONU further includes a storage unit 220 that can correspond to various storage media in the ONU, and can be used to store the encryption key and a key index.
  • the ONU can assist the OLT in determining the encryption key through the negotiation with the OLT, so that the OLT can encrypt the broadcast message to be encrypted by the OLT to improve the information security of the broadcast message.
  • the ONU further includes:
  • a second receiving unit configured to receive the broadcast encrypted message sent by the OLT
  • a parsing unit configured to parse the plaintext portion of the broadcast encrypted packet to determine a key index
  • a query unit configured to query an encryption key according to the key index
  • a decryption unit configured to decrypt the ciphertext portion of the broadcast encrypted message based on the encryption key.
  • the second receiving unit in this embodiment may correspond to an optical communication interface capable of optical communication with the OLT, and is capable of receiving information, such as the broadcast encrypted message, from the OLT.
  • the broadcast encrypted message may include a plaintext part and a ciphertext part; in the embodiment of the present invention, information requiring confidentiality is located in the ciphertext part.
  • the plaintext portion may include information such as a preamble of the message.
  • the key index is also located in the plaintext portion. Therefore, in this embodiment, the parsing unit will be the plaintext department.
  • the decryption is performed to obtain the key index, and the encryption key is determined according to the key index, thereby decrypting the encrypted portion of the broadcast encrypted message based on the encryption key, thereby obtaining the packet of the decrypted original broadcast message.
  • the content realizes the encrypted interaction of broadcast messages, which can prevent information leakage and improve the security of information.
  • the embodiment of the present invention further provides a computer storage medium, where the computer storage medium stores computer executable instructions, and the computer executable instructions are used to execute any one or more of the foregoing broadcast message encryption methods, for example, 2.
  • the computer storage medium in this embodiment may be a computer storage medium such as an optical disk, a hard disk, a magnetic disk, a magnetic tape, a flash disk, or the like, and may be a non-transitory storage medium.
  • the present example provides a broadcast message encryption system, which can be applied to systems in an OLT and an ONU, including: a broadcast service packet authentication unit, an interaction unit, a preamble modification unit, an AES encryption unit, and a triple agitation encryption unit.
  • performing broadcast message encryption includes the following steps:
  • the first step using the broadcast service packet authentication unit to complete the identification of the broadcast packet.
  • the content of the logical link identifier and the mode bit can be used to determine whether the corresponding packet is a broadcast message. Generally, if the mode bit value is 1, it indicates that the message is a broadcast message; or, when each bit of the logical link identifier is 1, it indicates that the message is a broadcast message.
  • 8 is a partial schematic diagram of a message including a preamble, a destination address DA field, a source address SA field, a length/type field, an OP-code field, and the like; and a data area and the like are not shown in FIG. 8.
  • the preamble includes a reserved field 1, a reserved field 2, a Start of Packet Delimiter (SPD) field, an LLID of two bytes in length, and a check CRC field.
  • SPD Start of Packet Delimiter
  • Step 2 Use the interactive unit to determine whether to perform various encryptions such as encryption and encryption. parameter.
  • the step may specifically include: determining whether to apply for an encryption key according to a pre-configured broadcast encryption enable switch whenever a new broadcast data packet header is received.
  • the broadcast message key index is configured with a direct register. If the broadcast encryption switch is enabled, the key index of the direct register configuration is directly queried, and whether the encryption and encryption modes are required is determined according to the key index.
  • the encryption methods in this example may include AES encryption and triple-agitation encryption.
  • the third step the preamble modification unit determines whether to modify the preamble (preamble modification unit) according to the processing of the previous key interaction unit. After applying for the encryption key, the broadcast encryption enables the state of the switch to remain valid. Then, the lower 2 bits of the 5th byte in the preamble are changed to 1 and the key index, and the modified preamble is checked to generate a check value. For example, a loop check is performed on the modified preamble to generate a loop check value.
  • Step 4 Encrypt according to the encryption and encryption methods in the second step.
  • the encryption method may include AES encryption and triple agitation encryption. The following describes the specific implementation of AES encryption and triple agitation encryption.
  • the data to be encrypted is divided into a plurality of data blocks, each of which includes 128 bits. As shown in FIG. 9, the data block formed by the division is used as an input block, and is used as an input of the encryption logic together with the encryption key. After AES encryption, the encrypted output block is formed. Typically, the output block includes the same number of bits as the input block. Next, the output block is XORed with the last 16 bytes of the corresponding plaintext block to obtain the ciphertext that has been AES encrypted.
  • the AES encryption unit is further configured to finally determine an encryption key; specifically, the method may include:
  • the OLT issues a KEY_ASSIGN message.
  • the KEY_ASSIGN message includes an initial value of the 16-bit encrypted input value, a first key activation time, and a 128-bit initial key.
  • the KEY_ASSIGN message here corresponds to the key request message in the foregoing embodiment.
  • the receiving ONU sends a KEY_RESPONSE message.
  • the KEY_RESPONSE contains a 128-bit updated key and a second key activation time.
  • the KEY_RESPONSE message here corresponds to the response message in the previous embodiment.
  • the first key activation time is a timestamp of the OLT sending the KEY_ASSIGN message
  • the second key activation time is a timestamp of sending the KEY_RESPONSE message. According to the two timestamps, the transmission delay can be determined, if the transmission delay is greater than the predetermined time. Delay, in this case, the negotiation can be considered to have failed.
  • the 128 initial key sent by the OLT can be used as an initial value of the updated key formed by the ONU.
  • the 128 initial key and the 128 updated key may also have no relationship at all.
  • the updated key is the encryption key used to encrypt the specified broadcast message in the foregoing embodiment.
  • Step 6 The triple-stirring encryption unit is used for triple-stirring encryption.
  • the OLT proposes a key update request, and the ONU provides a 3-byte agitation key, and the OLT uses the agitation key to complete the agitation encryption.
  • the agitation encryption is enabled, all data frames and OAM frames of the unregistered broadcast message are agitated.
  • the unregistered broadcast message corresponds to the aforementioned specified broadcast message.
  • the agitation key is the result of the addition or addition of 3-byte data and 3-byte random number extracted by the ONU from the uplink user data.
  • the fifth byte in the preamble is used as the identification field of the agitation key index to implement key synchronization.
  • the format in which the broadcast data frame is agitated before encryption and the format after the encryption is encrypted are shown in FIG.
  • the data frame before the agitation encryption shown in FIG. 10 includes a preamble and other data in the form of a plaintext.
  • the mode bit and the logical link identifier are stored in the field, and two reserved fields 1 and reserved words each having a length of 2 bytes are stored.
  • Paragraph 2 In the agitated encrypted data frame, an encrypted index is added to the last byte of the reserved field 2 of the sign-in code. And in agitating the encrypted data, the data agitation agitation zone is agitated and encrypted using the agitation key.
  • the data agitation area shown in FIG. 10 may include a destination address DA field, a source address SA field, a length/type field, and a data area and an FCS field.
  • the FCS is an abbreviation of Frame Check Sequence, which is a check field; the data can be verified by using a cyclic check code that saves the data frame.
  • the verification data stored in the FCS can be used to verify the data stored in the data area.
  • the check code stored in the preamble cyclic check code CRC field can be used to verify the data stored in the preamble.
  • the key update is implemented by a new key request frame (new_key_request) and a key notification frame (new_churning_key).
  • the OLT sends a new key request frame including the new key request to the ONU, the request frame containing the sequence number of the key currently being used for downlink encryption.
  • the new key request frame here is equivalent to the key request message in the foregoing embodiment.
  • the ONU After receiving the new key request frame, the ONU generates a new agitation key, and the serial number of the agitation key may be a binary sequence number, which may be a binary of the lowest bit of the In-use_Key_Index byte in the received new key request frame. Complement code.
  • the ONU sends a new key notification frame to the OLT, and the new key notification frame includes a new key index field and a new agitation key field.
  • the new key index field includes a key index with a data length of 1 byte
  • the new agitation key field includes a churn key with a data length of 3 bytes.
  • the lowest bit value of the new key sequence index field (New_Key_Index) is a new key index, and the remaining bit values can be set to a specified value, where the specified value can be 0 or 1.
  • the new key notification frame herein may correspond to the response message returned based on the key request message in the foregoing embodiment.
  • the OLT After the OLT receives the new key notification frame, it can use the new agitation key to agitate the subsequent frames. Key synchronization relies on the second byte in reserved field 2 in each frame. As long as the ONU receives the agitation frame sent by the OLT, the key index Key_Index can be the new key. The key number in the notification frame, the ONU uses the new key to de-agile.
  • the second byte of the reserved field 2 may be provided with a Flag and an encrypted index; the Flag may include 1 bit, indicating whether the current message is encrypted, for example, when the content of the bit is 0, it is not encrypted. This bit is 1 for encryption.
  • the index information such as the key label of the encryption key indicated by the bit corresponding to the encryption index.
  • the OLT has a timer key_update_timer for controlling the key update period. When the timer expires, the OLT initiates the above key update process.
  • the OLT uses another timer, Churning_Timer, as a mechanism to initiate the next key update request if a key update frame cannot be obtained, to increase the reliability of the key update.
  • the timer Churning_Timer here is equivalent to the timer for counting the first timing in the foregoing embodiment.
  • the timer Churning_Timer is started each time the OLT issues a new key request frame.
  • the OLT receives the correct new key notification frame sent by the ONU before the Churning_Timer times out, the OLT enables the new key as the agitation key for agitation encryption and resets the Churning_Timer.
  • the OLT When the OLT still does not receive the new key notification frame after the timer Churning_Timer expires, the key interaction is considered to be failed, the Churning_Timer is reset; and the OLT sends a new round of new key request frame.
  • the ONU still uses the original key before the new key is successfully exchanged, and the information about the key interaction failure is reported to the network administrator by the OLT. If the OLT fails to receive the key update frame before the Churning_Timer timeout after sending the new key request frame three times in a row, the OLT shall alert the network administrator. Downstream traffic is still agitated with the old key.
  • the values of the key update period T key and the timer Chrning_Timer can be configured. The default value of T key is 10s. Key update and synchronization process.
  • FIG. 11 is a schematic flowchart of agitation key interaction between an OLT and an ONU, including:
  • the OLT sends a new key request to the ONU within a key update period T key time.
  • the ONU After receiving the new key request, the ONU returns the agitation key 0 to the OLT.
  • the OLT receives the agitation key 0.
  • the OLT uses the agitation key 0 for agitation encryption.
  • the ONU After receiving the broadcast encrypted message, the ONU will use the agitation key 0 to de-agile the encryption.
  • the OLT sends a new key request within the next T key time.
  • the OLT ONU After receiving the new key request, the OLT ONU returns the agitation key 1 to the OLT.
  • the OLT uses the agitation key 1 for agitation encryption.
  • the ONU After receiving the broadcast encrypted message, the ONU will use the agitation key 1 to de-agile the encryption.
  • the disclosed apparatus and method may be implemented in other manners.
  • the device embodiments described above are merely illustrative.
  • the division of the unit is only a logical function division.
  • there may be another division manner such as: multiple units or components may be combined, or Can be integrated into another system, or some features can be ignored or not executed.
  • the coupling, or direct coupling, or communication connection of the components shown or discussed may be indirect coupling or communication connection through some interfaces, devices or units, and may be electrical, mechanical or other forms. of.
  • the units described above as separate components may or may not be physically separated, and the components displayed as the unit may or may not be physical units, that is, may be located in one place or distributed to multiple network units; Some or all of the units may be selected according to actual needs to achieve the purpose of the solution of the embodiment.
  • each functional unit in each embodiment of the present invention may be integrated into one processing module, or each unit may be separately used as one unit, or two or more units may be integrated into one unit; the above integration
  • the unit can be implemented in the form of hardware or in the form of hardware plus software functional units.
  • the foregoing program may be stored in a computer readable storage medium, and the program is executed when executed.
  • the foregoing storage device includes the following steps: the foregoing storage medium includes: a mobile storage device, a read-only memory (ROM), a random access memory (RAM), a magnetic disk, or an optical disk.
  • ROM read-only memory
  • RAM random access memory
  • magnetic disk or an optical disk.
  • optical disk A medium that can store program code.
  • a method for encrypting a specified broadcast message is also provided, so that the broadcast of the broadcast text can be avoided, and the information is leaked once it is stolen, thereby improving information security. Wide application prospects.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Small-Scale Networks (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Two-Way Televisions, Distribution Of Moving Picture Or The Like (AREA)

Abstract

Les modes de réalisation de la présente invention concernent un procédé de cryptage de paquet de diffusion, un OLT et une ONU, ledit procédé comprenant les étapes suivantes : un terminal de ligne optique (OLT) détermine un paquet de diffusion désigné à crypter ; cryptage dudit paquet de diffusion désigné à crypter pour former un paquet crypté de diffusion ; envoi dudit paquet crypté de diffusion à une unité de réseau optique (ONU). L'invention concerne également un support de stockage informatique.
PCT/CN2016/098281 2015-11-30 2016-09-07 Procédé de cryptage de paquet de diffusion, olt, onu, et support de stockage informatique WO2017092465A1 (fr)

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN201510863047.5A CN106817352A (zh) 2015-11-30 2015-11-30 广播报文加密方法及装置
CN201510863047.5 2015-11-30

Publications (1)

Publication Number Publication Date
WO2017092465A1 true WO2017092465A1 (fr) 2017-06-08

Family

ID=58796211

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2016/098281 WO2017092465A1 (fr) 2015-11-30 2016-09-07 Procédé de cryptage de paquet de diffusion, olt, onu, et support de stockage informatique

Country Status (2)

Country Link
CN (1) CN106817352A (fr)
WO (1) WO2017092465A1 (fr)

Cited By (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935181A (zh) * 2020-09-25 2020-11-13 北京天御云安科技有限公司 一种全密态条件下密钥切换的业务无中断实现方法
CN114268412A (zh) * 2021-11-18 2022-04-01 岚图汽车科技有限公司 车辆通信方法、装置、存储介质及设备
CN116866902A (zh) * 2023-07-27 2023-10-10 烟台东方威思顿电气有限公司 一种基于交互数据的数据保护方法

Families Citing this family (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN108777678B (zh) * 2018-05-18 2020-12-11 北京邮电大学 一种网络密钥交互***、装置及方法
CN109583238B (zh) * 2018-11-29 2023-03-28 中国电子科技集团公司第四十七研究所 流水线指令流加解密方法
CN114365522A (zh) * 2019-09-27 2022-04-15 华为技术有限公司 数据安全处理的方法和通信装置
CN112751709B (zh) * 2020-12-29 2023-01-10 北京浪潮数据技术有限公司 一种存储集群的管理方法、装置和***

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897500A (zh) * 2006-05-11 2007-01-17 中国电信股份有限公司 一种应用于以太网无源光网络***的搅动密钥更新与同步机制
CN101072094A (zh) * 2006-05-14 2007-11-14 华为技术有限公司 一种pon***中密钥协商的方法和***
CN101183934A (zh) * 2007-10-23 2008-05-21 中兴通讯股份有限公司 无源光网络中密钥更新方法
CN101388806A (zh) * 2007-09-12 2009-03-18 中兴通讯股份有限公司 密钥一致性检测方法和装置

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN1897500A (zh) * 2006-05-11 2007-01-17 中国电信股份有限公司 一种应用于以太网无源光网络***的搅动密钥更新与同步机制
CN101072094A (zh) * 2006-05-14 2007-11-14 华为技术有限公司 一种pon***中密钥协商的方法和***
CN101388806A (zh) * 2007-09-12 2009-03-18 中兴通讯股份有限公司 密钥一致性检测方法和装置
CN101183934A (zh) * 2007-10-23 2008-05-21 中兴通讯股份有限公司 无源光网络中密钥更新方法

Cited By (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111935181A (zh) * 2020-09-25 2020-11-13 北京天御云安科技有限公司 一种全密态条件下密钥切换的业务无中断实现方法
CN114268412A (zh) * 2021-11-18 2022-04-01 岚图汽车科技有限公司 车辆通信方法、装置、存储介质及设备
CN114268412B (zh) * 2021-11-18 2023-10-13 岚图汽车科技有限公司 车辆通信方法、装置、存储介质及设备
CN116866902A (zh) * 2023-07-27 2023-10-10 烟台东方威思顿电气有限公司 一种基于交互数据的数据保护方法

Also Published As

Publication number Publication date
CN106817352A (zh) 2017-06-09

Similar Documents

Publication Publication Date Title
WO2017092465A1 (fr) Procédé de cryptage de paquet de diffusion, olt, onu, et support de stockage informatique
US11335144B2 (en) Method for unlocking intelligent lock, mobile terminal, intelligent lock and server
US11606341B2 (en) Apparatus for use in a can system
US9300468B2 (en) Secure node admission in a communication network
US11617082B2 (en) Methods providing NAS connection identifications and related wireless terminals and network nodes
US20230396606A1 (en) Method and system for communication between server and authenticator
US9264404B1 (en) Encrypting data using time stamps
WO2012003693A1 (fr) Procédé et appareil de traitement de paquets de message de contrôle des titres d'accès
WO2021244489A1 (fr) Procédé et appareil pour transmettre un surdébit de contrôle de chiffrement dans un réseau de transport optique
CN110945890B (zh) 使用单独的计数为多个nas连接提供安全性的方法以及相关的网络节点和无线终端
JP7451738B2 (ja) 鍵更新方法および関連装置
CN113632419A (zh) 用于对要在总线***(bu)、特别是机动车辆的总线***中传输的至少一个数据分组进行生成和认证检查的装置和方法
CN108337089B (zh) 信令传输加密、解密方法、装置及终端
US20110078444A1 (en) Re-authentication apparatus and method in downloadable conditional access system
CN108366359A (zh) 一种配置机顶盒连接WiFi的方法、装置及***
KR20100092768A (ko) 무선 네트워크 통신 시스템에서 데이터 통신 보안을 위한 맥 프로토콜 제공 방법
EP2047631B1 (fr) Procédé d'établissement d'une clé secrète entre deux noeuds dans un réseau de communication
US12010507B2 (en) Secure beacons
WO2006062345A1 (fr) Methode de distribution de cles sur epon
CN106301768B (zh) 一种基于光传输网otn的密钥更新的方法、装置和***
JP2004260556A (ja) 局側装置、加入者側装置、通信システムおよび暗号鍵通知方法
CN111163468A (zh) 一种通信连接方法及设备
WO2022105809A1 (fr) Procédé et appareil de mise à jour de clé, dispositif électronique et support de stockage
WO2023046944A1 (fr) Procédé d'exploitation d'un réseau cellulaire
CN116684198A (zh) 一种基于http接口加解密方法、装置、电子设备和存储介质

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 16869776

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 16869776

Country of ref document: EP

Kind code of ref document: A1