Key management device and method for providing security service in ethernet-based passive optical network
First Claim
1. A key management device for provision of a security service in an Ethernet-based passive optical network, comprising:
- an optical line terminal for sending a discovery gate message to discover an optical network unit for data transmission, and, if said optical network unit receives said discovery gate message and then requests data communication, sending an encrypted registration message including a permanent medium access control (MAC) address of said optical network unit to said optical network unit to notify said optical network unit that it has been registered and an encrypted general gate message including said permanent MAC address of said optical network unit to said optical network unit to allocate a time slot to said optical network unit; and
said optical network unit for receiving said discovery gate message and then sending an encrypted registration request message to said optical line terminal to request the data communication therewith and an encrypted registration acknowledgement message to said optical line terminal to respond to said registration message.
3 Assignments
0 Petitions
Accused Products
Abstract
A key management device and method which is required for provision of a security service in an EPON vulnerable to security breaches due to characteristics of Ethernet. A session key distribution function is performed in such a manner that, during the process of communication setup between an OLT and an ONU, the OLT multicasts a public key and the ONU receives the public key from the OLT and then distributes a corresponding session key to the OLT. A session key update function is performed in such a manner that an existing session key is updated with a new one through a periodic MPCP general gate message and an ONU report message.
78 Citations
35 Claims
-
1. A key management device for provision of a security service in an Ethernet-based passive optical network, comprising:
-
an optical line terminal for sending a discovery gate message to discover an optical network unit for data transmission, and, if said optical network unit receives said discovery gate message and then requests data communication, sending an encrypted registration message including a permanent medium access control (MAC) address of said optical network unit to said optical network unit to notify said optical network unit that it has been registered and an encrypted general gate message including said permanent MAC address of said optical network unit to said optical network unit to allocate a time slot to said optical network unit; and
said optical network unit for receiving said discovery gate message and then sending an encrypted registration request message to said optical line terminal to request the data communication therewith and an encrypted registration acknowledgement message to said optical line terminal to respond to said registration message. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
-
14. A method for session key distribution between an optical line terminal and an optical network unit in a key management method for provision of a security service in an Ethernet-based passive optical network, comprising the steps of:
-
a), by said optical line terminal, sending a discovery gate message to discover said optical network unit for data transmission;
b), by said optical network unit, receiving said discovery gate message and then sending an encrypted registration request message to said optical line terminal to perform data communication therewith;
c), by said optical line terminal, sending an encrypted registration message including a permanent MAC address of said optical network unit to said optical network unit to notify said optical network unit that it has been registered;
d), by said optical line terminal, sending an encrypted general gate message including said permanent MAC address of said optical network unit to said optical network unit to allocate a time slot to said optical network unit; and
e), by said optical network unit, sending an encrypted registration acknowledgement message to said optical line terminal to respond to said registration message. - View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
-
-
25. A method for session key update between an optical line terminal and an optical network unit in a key management method for provision of a security service in an Ethernet-based passive optical network, comprising the steps of:
-
a), by said optical line terminal, sending key update information to said optical network unit at a predetermined key update period; and
b), by said optical network unit, receiving said key update information and sending a new session key to said optical line terminal. - View Dependent Claims (26, 27, 28)
-
-
29. A method for key recovery between an optical line terminal and an optical network unit in a key management method for provision of a security service in an Ethernet-based passive optical network, comprising the steps of:
-
a) determining whether a pair of private and public keys are in error;
b), if said pair of private and public keys are in error, by said optical line terminal, creating a pair of new private and public keys and multicasting the new public key while including it in a desired message; and
c), by said optical network unit, receiving said new public key, comparing it with a public key pre-stored in a public key storage unit therein, discarding said new public key if it is the same as the pre-stored public key and storing said new public key in said public key storage unit if it is different from the pre-stored public key. - View Dependent Claims (30, 31)
-
-
32. A method for key recovery between an optical line terminal and an optical network unit in a key management method for provision of a security service in an Ethernet-based passive optical network, comprising the steps of:
-
a) determining whether there is a session key error between said optical line terminal and said optical network unit; and
b), if there is a session key error between said optical line terminal and said optical network unit, by said optical network unit, sending a new session key to said optical line terminal using a time slot sent while being included in a discovery gate message. - View Dependent Claims (33, 34, 35)
-
Specification