The present invention relates to a passive optical network (PON) system, and more specifically, relates to encryption in a PON system where variable-length packets are transmitted, such as a Gigabit Ethernet (registered trademark) PON (hereinafter, “GE-PON”) system. Particularly, the invention relates to a PON system with an encryption function relating to periodic update of an encryption key and an encryption method in the PON system.
The GE-PON method is currently in a final phase of standardization in the IEEE. However, regulations for encryption have not yet been laid down in the GE-PON method. In the PON system, data transfer is performed between an optical line terminal (OLT) and an optical network unit (ONU). Particularly, since data transfer from the OLT to the ONU (hereinafter, “downstream transfer”) is performed by simultaneous transmission, encryption is essential for ensuring security.
Generally, in encryption in a network, a method of periodically changing an encryption key is used to prevent a ciphering of the key. However, if the timing of changing the encryption key does not match accurately on a transmitting end and a receiving end, transmission data is lost.
For example, in ITU-T recommendation G.983.1, there is a proposal for encryption in a broadband passive optical network (PON) system for providing video service, a so-called B-PON system, which uses a wavelength division multiplexing.
Digital transmission systems
ITU-T Recommendation G.983.1 (1998/10)
However, in the GE-PON, which is the subject of the present application, because the transmission data is in the form of a packet having a variable length, the timing cannot be synchronized with the same method as that of the B-PON system.
The present invention has been achieved to solve the above problems. It is an object of the invention to provide a PON system with an encryption function that can synchronize a timing for changing an encryption key between an ONU and an OLT, and an encryption method in the PON system, in a system where transmission data is a variable-length packet.
According to a PON system with an encryption function of the present invention, the PON system, in which variable-length packets are transmitted, includes a time adjusting unit that synchronizes time information between an ONU and an OLT, an encryption-key update unit that transmits a new encryption key generated by any one of the ONU and the OLT to the other, which is stored respectively by the ONU and the OLT, and a encryption-key change-synchronizing unit by which any one of the ONU and the OLT transmits an encryption key changing time to the other, and the ONU and the OLT respectively change the encryption key to a new encryption key at the encryption key changing time. The variable-length packets are transmitted between the ONU and the OLT, while changing the encryption key periodically.
According to the present invention, in the PON system where variable-length packets are transmitted, update of the encryption key from an old encryption key to a new encryption key can be performed, and a timing for changing the encryption key can be synchronized between the ONU and the OLT.
Moreover, an encryption method in a PON system of the present invention includes a time adjustment step in which a time is synchronized in advance between the optical network unit and the optical line terminal; an encryption key update step in which a new encryption key generated by any one of the optical network unit and the optical line terminal is transmitted to the other, and the new encryption key is stored respectively by the optical network unit and the optical line terminal; and a key encryption key change-synchronizing step in which any one of the optical network unit and the optical line terminal transmits a notification of an encryption key changing time to the other, and the optical network unit and the optical line terminal respectively change the encryption key to a new encryption key at the encryption key changing time, wherein the variable-length packets are transmitted while changing the encryption key at a predetermined timing.
According to the present invention, update of the encryption key from an old encryption key to a new encryption key can be performed, and the timing for changing the encryption key can be synchronized between the ONU and the OLT in the PON system where variable-length packets are transmitted.
Exemplary embodiments of a mobile packet communication system according to the present invention will be explained below in detail with reference to the accompanying drawings.
1. Time Adjusting Unit
The gate message 23 generated by the client 15a is transmitted to a media access control (MAC) controller (MAC control, hereinafter, “MAC controller”) on a lower layer, time information (timestamp value) TS of a clock register 21 is added on the gate message 23. The time-stamped gate message 23 is transmitted from the to the ONU 13. In the ONU 13 that receives the gate message 23, a MAC controller 13b sets the timestamp value to a clock register 25.
The time at which the ONU 13 sets the timestamp value to the clock register 25 is delayed by a predetermined transmission time with respect to the time at which the OLT 15 is time-stamped. The delay time is constant at all times. Therefore, the operation of the OLT 15 is always delayed by the predetermined time from that of the ONU 13. The gate message 23 is periodically sent from the OLT 15 to the ONU 13 at a predetermined time interval. Accordingly, even if the time information of any one of the OLT 15 and the ONU 13 is wrong, the clocks of the OLT 15 and/or the ONU 13 can be corrected when the next gate message is received.
The MAC controller 15b in the OLT 15 and the MAC controller 13b in the ONU 13 constitute a time adjusting unit that synchronizes the time information between the OLT 15 and the ONU 13. A time adjustment operation performed by the OLT 15 and the ONU 13 constitutes a time adjustment process.
2. Encryption-Key Update Unit
2-1. Update of Encryption Key by Authentication Sequence (Independent Setting)
As a general operation in the authentication sequence, an authenticator 33 in the ONU 13 makes a calculation result calculator 27 in an encryption controller 26 perform new calculation, stores the calculation result in a PON controller 35 in the ONU 13, and transmits the calculation result as an authentication frame 41 to the OLT 15 via the PON controller 35. On the other hand, in the OLT 15, a calculation result extracting unit 29 in an encryption controller 28 extracts the calculation result from the authentication frame 32 including received via a PON controller 37, in response to an instruction of the authenticator 33, and stores the result in the PON controller 37.
The calculation result transmitted from the ONU 13 to the OLT 15 is used for the operation of the authentication sequence as usual, and also used when the transmission data is encoded and decoded at the time of transferring the frame by the PON controllers 35 and 37.
The calculation result calculator 27 and a supplicant 31 in the ONU 13, and the calculation result extracting unit 29 and the authenticator 33 in the OLT 15 constitute the encryption-key update unit. The transmission and storage of the encryption key to be performed by the calculation result calculator 27, the supplicant 31, the calculation result extracting unit 29, and the authenticator 33 constitute the encryption key update process.
In the second embodiment, the ONU 13 generates the encryption key and transmits the encryption key to the OLT 15. However, it is possible to have a configuration in which the OLT 15 generates an encryption key and transmits the encryption key to the ONU 13.
In this manner, the encryption-key update unit generates a new encryption key based on the calculation result of the authentication sequence. Therefore, in a system including an authentication procedure, key information can be exchanged without adding a special frame, thereby enabling cost reduction.
2-2. Update by Extension OAM
An OAM controller 43 in the OLT 15 transmits a message requesting a new encryption key to the ONU 13 to obtain the new encryption key. Specifically, the PON controller 37 transmits an extension OAM message “GetRequest” to the ONU 13 as an OAM frame 43.
This message is received by an OAM controller 41 in the ONU 13. In response to an instruction of the OAM controller 41, an encryption key generation unit 33 in the encryption controller 26 generates a new encryption key by using, for example, a hash value. The ONU 13 uses a message of “GetResponse” to transmit the new encryption key to the OLT 15 as an OAM frame 44. The encryption key need not be the hash value, and can be generated based on a random number specially created.
The OAM controller 41 in the ONU 13 sets the new encryption key in the PON controller 35, after the transmission of “GetResponse”. The OAM controller 43 sets the new encryption key in the PON controller 37, upon reception of “GetResponse”. The OAM controller 43 monitors reception of “GetResponse” with respect to “GetRequest” by a timer, and in the case of timeout, transmission retry is performed three times. After retry out, the OAM controller 43 waits for the next encryption key update timing, to transmit new “GetRequest”.
The encryption key generation unit 33 and the OAM controller 41 in the ONU 13, and the calculation result extracting unit 29 and the OAM controller 43 in the OLT 15 constitute the encryption-key update unit. Furthermore, transmission and storage of the encryption key to be performed by the encryption key generation unit 33 and the OAM controller 41, and the calculation result extracting unit 29 and the OAM controller 43 constitute the encryption key update process.
In the third embodiment, the ONU generates the encryption key and transmits the encryption key to the OLT 15. However, it is possible to have a configuration in which the OLT 15 generates an encryption key and transmits the encryption key to the ONU 13.
In this manner, the key information can be updated even in a system that does not include the authentication function as explained in the first embodiment. Furthermore, by performing retry transmission, a discrepancy of key information does not occur at a time of frame loss due to a transmission error or the like.
2-3. Update by Application Frame
To obtain an encryption key, the encryption controller 28 in the OLT 15 transmits the specially created message “new encryption key request” to the ONU 13 as a key request frame 45 via the PON controller 37. Upon reception of the message, in the ONU 13, the encryption controller 26 generates a new encryption key by using, for example, a hash value, in response thereto. The ONU 13 transmits a new encryption key message “encryption key notification” to the OLT 15 as a key notification frame 46.
The encryption controller 26 in the ONU 13 sets the new encryption key in the PON controller 35 after transmission of the “encryption key notification”. The encryption controller 28 in the OLT 15 sets the new encryption key in the PON controller 37 after reception of the “encryption key notification”. The encryption controller 28 in the OLT 15 monitors reception of “encryption key notification” with respect to “new encryption key request” by a timer, and in the case of timeout, transmission retry is performed three times. After retry out, the encryption controller 28 waits for the next encryption key update timing, to transmit a new “new encryption key request”.
The encryption controller 26 in the ONU 13 and the encryption controller 28 in the OLT 15 constitute the encryption-key update unit. Furthermore, transmission and storage of the encryption key to be performed by the encryption controller 26 and the encryption controller 28 constitute the encryption key update process.
In the fourth embodiment, the ONU generates the encryption key and transmits the encryption key to the OLT 15. However, it is possible to have a configuration in which the OLT 15 generates an encryption key and transmits the encryption key to the ONU 13.
In this manner, the same effect as in the second embodiment can be obtained, and since a message is specially created, flexibility is increased, and mixing with a special specification can be easily made.
3. Encryption-Key Change-Synchronizing Unit]
3-1. Downstream
In the fifth embodiment, in the PON system in this state, an update time frame 51, which is a “downstream key update time message” is transmitted from the PON controller 37 in the OLT 15. In this “downstream key update time message”, “downstream key update time (T1)” for changing to the new encryption key is inserted. The OLT 15 and the ONU 13 change a cipher to be used for downstream transmission to the new encryption key at the time of reaching the time. However, if the frame is being transmitted or received at the time, a transmission operation or a reception operation of the frame is continued, and when the transmission operation or the reception operation of the next frame is started, the cipher cryptogram is changed to the new encryption key.
Regarding whether to perform encryption processing, there are two modes, that is, an encryption mode in which the encryption processing is performed, and a non-encryption mode in which the encryption processing is not performed. It is assumed that even in the non-encryption mode, the “downstream key update time message” can be transmitted. In this case, any changing operation is not performed even when the specified time is reached.
Furthermore, by transmitting the value of the “downstream key update time (T1)” in the “downstream key update time message” as a special value, for example “0”, this value can be used as a message instructing to change the encryption mode to the non-encryption mode.
The “downstream key update time message” can be redundantly transmitted three times for error prevention.
In the fifth embodiment, the encryption controller 26 and the PON controller 35 in the ONU 13 and the encryption controller 28 and the PON controller 37 in the OLT 15 constitute the encryption-key change-synchronizing unit. Furthermore, the changing operation to the new encryption key to be performed by the encryption controller 26, the PON controller 35, the encryption controller 28, and the PON controller 37 constitute the key encryption key change-synchronizing process.
In this manner, synchronization of the key update time becomes possible between the OLT 15 and the ONU 13, and hence a frame loss does not occur at the time of updating the key. That is, a loss of data can be prevented. Furthermore, by the redundant transmission for three times, a loss of a time message due to a transmission error, a deviation of the key update time, and a non-updatable state do not occur. By setting the time information to a special value, for example “0”, this value can be used as an instruction of mode change.
3-2. Upstream (1) Burst Specifying Method
The encryption key to be used in the upstream direction is changed from
a burst 81 that is three bursts behind a burst by which the first message is transmitted,
a burst 82 that is two bursts behind a burst by which the second message is transmitted, and
a burst 83 that is one bursts behind a burst by which the third message is transmitted.
A notification of the encryption key changing time from the ONU 13 to the OLT 15 is transmitted in the three continuous bursts for preventing an error.
When the upstream encryption processing is in the non-encryption mode, the message is not transmitted.
In this manner, the notification of the encryption key changing time can be transmitted from the ONU 13 to the OLT 15. Accordingly, synchronization of the key update time can be achieved between the OLT 15 and the ONU 13, and hence a frame loss does not occur at the time of updating the key. That is, a loss of data can be prevented. Furthermore, by the redundant transmission for three times, a loss of a time message due to a transmission error, a deviation of the key update time, and a non-updatable state do not occur. By setting the time information to a special value, for example “0”, this value can be used as an instruction of mode change.
3-3. Upstream (2) Grant Specifying Method
It is assumed that the update to the new encryption key has been already finished between the OLT 15 and the ONU 13 by any one of the encryption-key update units in the second to the fourth embodiments.
In
With reference to
In this manner, the notification of the encryption key changing time can be transmitted from the ONU 13 to the OLT 15. Accordingly, synchronization of the key update time can be achieved between the OLT 15 and the ONU 13, and hence a frame loss does not occur at the time of updating the key. That is, a loss of data can be prevented.
The PON system with the encryption function and the encryption method in the PON system according to the present invention are suitable for encryption in the PON system where variable-length packets are transmitted, such as the Gigabit Ethernet (registered trademark) PON system, and particularly suitable for the PON system where the encryption key is periodically updated.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/JP2004/006897 | 5/14/2004 | WO | 00 | 10/26/2006 |