MAC security entity for link security entity and transmitting and receiving method therefor

US 20060136715A1
Filed: 11/03/2005
Published: 06/22/2006
Est. Priority Date: 12/22/2004
Status: Active Grant

First Claim

Patent Images

1. An apparatus of media access control (MAC) security transmission comprising:

a frame classifier distinguishing the type of a frame, and based on a logical link identifier (LLID) of the distinguished frame, determining whether or not the frame is a security link to which a security function is to be applied;

a bypass unit delaying a no-security-function frame so that a processing time for converting the security-function-applied frame classified in the frame classifier into an encrypted frame is the same as a processing time for the no-security-function frame; and

a parameter generation unit transmitting in relation to each of the LLIDs, a parameter set value, including a security-function-application setting signal used in the encryption, decryption and authentication of the frame, a frame decryption signal, an encryption mode selection signal, and an authentication intensity adjustment signal.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for providing a security function of frames transmitted between optical network terminals (OLTs) and optical network units (ONUs) in an Ethernet passive optical network (EPON) providing media access control (MAC) services are provided. The apparatus includes: a frame classifier distinguishing the type of a frame, and based on the logical link identifier (LLID) of the distinguished frame, determining whether or not the frame is a security link to which a security function is to be applied; a bypass unit delaying a no-security-function frame so that a processing time for converting the security-function-applied frame classified in the frame classifier into an encrypted frame is the same as a time for processing the no-security-function frame; and a parameter generation unit transmitting in relation to each of the LLIDs, a parameter set value including a security-function-application setting signal used in the encryption, decryption and authentication of the frame, a frame decryption signal, an encryption mode selection signal, and an authentication intensity adjustment signal.

91 Citations

View as Search Results

20 Claims

1. An apparatus of media access control (MAC) security transmission comprising:
- a frame classifier distinguishing the type of a frame, and based on a logical link identifier (LLID) of the distinguished frame, determining whether or not the frame is a security link to which a security function is to be applied;
  
  a bypass unit delaying a no-security-function frame so that a processing time for converting the security-function-applied frame classified in the frame classifier into an encrypted frame is the same as a processing time for the no-security-function frame; and
  
  a parameter generation unit transmitting in relation to each of the LLIDs, a parameter set value, including a security-function-application setting signal used in the encryption, decryption and authentication of the frame, a frame decryption signal, an encryption mode selection signal, and an authentication intensity adjustment signal.
- View Dependent Claims (2, 3)
- - 2. The apparatus of claim 1, wherein the frame classifier receives a mode parameter value for selecting an encryption algorithm from the parameter generation unit and selects whether an authentication decryption algorithm (Galois/Counter Mode—
    - advanced encryption standard, GCM-AES) or an authentication algorithm (G-MAC) is to be applied to the frame.
  - 3. The apparatus of claim 1, further comprising:
    - an encryption unit receiving an input from the parameter generation unit, of a parameter value ICV_Size confirming whether or not a frame is authenticated, and by changing the ICV_Size parameter value in the authentication decryption algorithm or the authentication algorithm, changing the authentication intensity.

4. An apparatus of a MAC security reception unit comprising:
- a frame classifier determining based on the LLID value of a frame whether or not a security function is applied to the frame, determining based on the type value of the frame whether the frame is an encrypted frame or a non-encrypted plaintext frame, and processing a denial of service (DoS) attack frame based on a user-defined parameter value in relation to each frame;
  
  a parameter verification unit transmitting a parameter set value used in the decryption and authentication of the frame;
  
  a retransmission attack processing unit, if the frame corresponds to a retransmission attack frame, removing the frame based on the association number (AN) flag value of the frame; and
  
  a bypass unit delaying the plaintext frame so that a processing time taken for decrypting the encrypted frame is the same as a time of processing the plaintext frame.
- View Dependent Claims (5, 6, 7, 8)
- - 5. The apparatus of claim 4, further comprising:
    - an encryption unit performing in relation to the frame, an authentication decryption function decrypting an encrypted frame into a plaintext frame by using the parameter value input from the parameter verification unit, and identifying whether or not the encrypted frame is altered, or performing an authentication check function only identifying whether or not the encrypted frame is altered.
  - 6. The apparatus of claim 4, wherein the frame classifier receives a parameter mode value for selecting an algorithm from the parameter verification unit and selects whether one of an authentication decryption algorithm (GCM-AES) and an authentication algorithm (G-MAC) is to be applied to the frame in the encryption unit.
  - 7. The apparatus of claim 5, wherein in the confirmation of whether or not the frame is altered, by changing the ICV_Size parameter value in the authentication encryption algorithm or in the authentication algorithm based on the ICV_Size parameter value input from the parameter verification unit, the authentication intensity is changed.
  - 8. The apparatus of claim 4, wherein the parameter verification unit checks the state of an encryption key used in the decryption of the frame based on the packet number value of the frame, and transmits an encryption key expiry signal, an encryption key conversion signal, and an encryption key update signal.

9. A MAC security apparatus comprising:
- a MAC security transmission unit classifying a frame based on the LLID value and the type of the frame, generating a first parameter set for setting or canceling information indicating whether or not a security function is to be applied, in relation to the type of the frame based on the LLID, determining whether or not the security function is to be applied to the frame, and delaying a no-security-function frame so that a processing time for converting a security-function-applied frame into an encrypted frame is the same as a processing time for the no-security-function frame; and
  
  a MAC security reception unit checking based on the LLID value whether or not an encryption mode of a frame is set, determining based on the type value of the frame whether the frame is an encrypted frame or a non-encrypted plaintext frame, processing a DoS attack frame in relation to each frame based on the frame type value, generating a second parameter set value used in the authentication and decryption of the frame, and delaying the plaintext frame so that a processing time taken for decrypting the encrypted frame is the same as a time for processing the plaintext frame.
- View Dependent Claims (10, 11)
- - 10. The apparatus of claim 9, wherein a mode parameter value for selecting an algorithm is input from one of the first parameter set and the second parameter set, and whether an authentication decryption algorithm (GCM-AES) is to be applied or an authentication algorithm (G-MAC) is to be applied to the frame is selected, and in order to change the authentication intensity in the algorithm, the authentication decryption algorithm or the authentication algorithm selectively uses an ICV_Size parameter value confirming whether or not the frame is authenticated.
  - 11. The apparatus of claim 9, further comprising:
    - an encryption unit, performing in relation to the frame, an authentication decryption function decrypting an encrypted frame into a plaintext frame by using the second parameter value, and identifying whether or not the encrypted frame is altered, or performing an authentication check function only identifying whether or not the encrypted frame is altered.

12. A frame transmission method in a MAC security transmission apparatus comprising:
- determining based on the LLID value of a frame whether or not a security function is to be applied;
  
  delaying a no-security-function frame so that a processing time for converting a security-function-applied frame into an encrypted frame is the same as a processing time for the no-security-function frame; and
  
  in relation to each of the LLIDs, transmitting a parameter set value, including a security-function-application setting signal used in the encryption, decryption and authentication of the frame, a frame decryption signal, an encryption mode selection signal, and an authentication intensity adjustment signal.
- View Dependent Claims (13, 14)
- - 13. The method of claim 12, further comprising:
    - encoding the frame;
      
      based on a mode parameter value selecting an encryption algorithm in the parameter set value, applying an authentication decryption algorithm (GCM-AES) and an authentication algorithm (G-MAC) to the frame; and
      
      multiplexing the encrypted frame and the no-security-function frame.
  - 14. The method of claim 13, further comprising:
    - according to an ICV_Size parameter value in the parameter set value, confirming whether or not the frame is authenticated, changing the authentication intensity in one of the authentication decryption algorithm and the authentication algorithm.

15. A frame reception method in a MAC security reception apparatus comprising:
- based on the LLID value of a frame, determining whether or not a security function is applied to the frame;
  
  determining based on the type value of the frame whether the frame is an encrypted frame or non-encrypted plaintext frame, and processing a DoS attack frame based on a user-defined parameter value in relation to each frame;
  
  transmitting a parameter set value used in the decryption and authentication of the frame;
  
  based on the AN flag value of the frame, if the frame corresponds to a retransmission attack frame, removing the frame; and
  
  delaying the plaintext frame so that a processing time taken for decrypting the encrypted frame is the same as a time for processing the plaintext frame.
- View Dependent Claims (16)
- - 16. The method of claim 15, further comprising:
    - decoding the frame;
      
      applying one of an authentication decryption algorithm (GCM-AES) and an authentication algorithm (G-MAC) to the frame based on a mode parameter value in the parameter set value, for selecting an encryption algorithm;
      
      changing the authentication intensity in the authentication decryption algorithm or the authentication algorithm according to an ICV_Size parameter value in the parameter set value, for confirming whether or not the frame is authenticated; and
      
      multiplexing the encrypted frame and the no-security-function frame.

17. A frame transmission and reception method in a MAC security apparatus comprising:
- classifying a frame and determining whether or not a security function is applied, based on the LLID value and the type of the frame;
  
  in relation to each of the LLIDs, transmitting a parameter set value, comprising a security-function-application setting signal used in the encryption, decryption and authentication of the frame, a frame decryption signal, an encryption mode selection signal, and an authentication intensity adjustment signal;
  
  delaying the no-security-function frame so that a processing time for converting the security-function-applied frame into an encrypted frame is the same as a time for processing the no-security-function frame;
  
  authentication decrypting or authenticating the frame;
  
  based on the LLID value, determining whether or not an encryption mode is set in the frame;
  
  determining based on the type value of the frame whether the frame is an encrypted frame or a non-encrypted plaintext frame, and processing a DoS attack frame in relation to each frame based on the frame type value;
  
  delaying the plaintext frame so that a processing time taken for decrypting the encrypted frame is the same as a time for processing the plaintext frame; and
  
  transmitting a second parameter set value used in the authentication and decryption of the frame.
- View Dependent Claims (18, 19, 20)
- - 18. The method of claim 17, further comprising:
    - receiving a mode parameter value for selecting an algorithm from one of the first parameter set and the second parameter set, and selecting whether an authentication decryption algorithm (GCM-AES) or an authentication algorithm (G-MAC) is to be applied to the frame.
  - 19. The method of claim 17, further comprising:
    - changing the authentication intensity in one of the authentication decryption algorithm and the authentication algorithm according to an ICV_Size parameter value in the parameter set value, for confirming whether or not the frame is authenticated.
  - 20. The method of claim 17, further comprising:
    - checking the state of an encryption key used in the decryption of the frame based on the packet number value of the frame, and transmitting an encryption key expiry signal, an encryption key conversion signal, and an encryption key update signal.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Electronics and Telecommunications Research Institute
Original Assignee
Electronics and Telecommunications Research Institute
Inventors
Yoo, Tae Whan, Kim, Kwang Ok, Han, Kyeong Soo

Granted Patent

US 7,797,745 B2
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 63/126   the source of the received ...

H04L 63/1458   Denial of Service

H04L 9/0631   Substitution permutation ne...

H04L 9/0637   Modes of operation, e.g. ci...

H04L 9/3242   involving keyed hash functi...

MAC security entity for link security entity and transmitting and receiving method therefor

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

91 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

MAC security entity for link security entity and transmitting and receiving method therefor

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

91 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links