[go: up one dir, main page]

CN103905209A - Mutual authentication method based on NTRUSign passive optical network access - Google Patents

Mutual authentication method based on NTRUSign passive optical network access Download PDF

Info

Publication number
CN103905209A
CN103905209A CN201410178038.8A CN201410178038A CN103905209A CN 103905209 A CN103905209 A CN 103905209A CN 201410178038 A CN201410178038 A CN 201410178038A CN 103905209 A CN103905209 A CN 103905209A
Authority
CN
China
Prior art keywords
onu
olt
frame
authentication
information
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN201410178038.8A
Other languages
Chinese (zh)
Inventor
殷爱菡
胡逸飞
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Individual
Original Assignee
Individual
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Individual filed Critical Individual
Priority to CN201410178038.8A priority Critical patent/CN103905209A/en
Publication of CN103905209A publication Critical patent/CN103905209A/en
Pending legal-status Critical Current

Links

Images

Landscapes

  • Small-Scale Networks (AREA)

Abstract

The invention discloses a mutual authentication protocol based on NTRUSign passive optical network access. According to the method, the NTRUSign digital signature algorithm is used for realizing the mutual authentication of an OLT and an ONU. After the mutual authentication succeeds, a conversation secret key is obtained through negotiation of the OLT and the ONU and is used for encryting subsequently-transmitted data and ensuring system safety. Further, three frames are defined in the mutual authentication protocol, and the three frames refer to an authentication frame CERTIFICATION_GATE, an information frame MONU and an information frame MOLT. Through the three frames, the OLT and the ONU can complete authentication efficiently and safely, and the system safety is sufficiently ensured.

Description

Based on the method for NTRUSign EPON access two-way authentication
Technical field
The present invention relates to Optical Access Network technical field, relate in particular to a kind of based on NTRUSig algorithm bidirectional identification protocol and three self-defining frame structures the method in EPON access.
Background technology
Wisdom city is the trend of future urban development, and optical-fiber network plays an important role therein.PON network has the advantages such as the cost of laying is low, and business function is flexible, easy upgrading, is therefore considered to desirable Optical Access Network network in the light net construction of city.
But because PON sends data downwards in the mode of broadcast, thereby there is certain security threat.More typical security threat is that the ONU that it is legal that illegal ONU disguises oneself as carries out transceiving data, a large amount of occupied bandwidths, waste Internet resources.In the time that illegal ONU wants to add PON system transceiving data, it can cheat OLT by the registered successful legal ONU that disguises oneself as, so that successful transceiving data.In such cases, system probably can be stolen important information by this malice ONU, and system safety is brought to harm.In addition, OLT is the important local side apparatus of PON system, and the operations such as the control of ONU equipment, management, range finding are responsible for by it.So more need the identity of OLT to verify, ensure that OLT is legal.The OLT if assailant disguises oneself as, can control ONU, and user side is caused to very large infringement.Therefore, necessary to the two-way authentication of OLT and ONU, current also do not have a desirable especially solution.
At present, also fewer to the two-way authentication of PON network, mostly only consider the certification to ONU, ignore the certification to OLT.Conventional signature authentication technology has RSA, ECDSA.And RSA and ECDSA signature algorithm relate to large several complementation, thereby computing is relatively slow, and system bandwidth and memory property are had relatively high expectations, and brings very large time delay to PON system.Therefore need to design the efficient mutual authentication method of a kind of low time delay.The present invention is in order to realize the two-way authentication to OLT and ONU, adopted all very high Digital Signature Algorithm NTRUSign of a kind of signature and verification efficiency.In this algorithm, main computing is long-pending and computing, can significantly reduce operand, thereby less on Time Delay of Systems impact.Checking by the signature to OLT and the each self-generating of ONU judges the legitimacy of OLT and ONU identity, thereby has realized two-way authentication.OLT and ONU have also negotiated session key, facilitate the encryption of follow-up data, have so prevented the camouflage that may exist in system, the safety problem such as steal.
Summary of the invention
The object of the present invention is to provide a kind of method based on NTRUSig EPON access two-way authentication, the method has realized the two-way authentication of OLT and ONU in PON system, has ensured system safety.
Technical scheme of the present invention is as follows:
Based on a method for NTRUSign EPON access two-way authentication, said method comprising the steps of:
Steps A: the local side OLT of PON system and user's side ONU utilize the key schedule of NTRUSign signature algorithm to generate public and private key separately, and C Generates Certificate simultaneously oNU/ C oLTand random value R oNU/ R oLT;
Step B:OLT sends self-defining authentication frame CERTIFICATION_GATE to ONU, and the control frame of this frame and standard is the same also 64 bytes, has carried the PKI PK of the OLT that has occupied respectively 2 bytes in the information field of this frame oLT, certificate C oLTand random value R oLT.The certificate C of ONU checking OLT oLT, after being verified, generate random parameter r 1, and with the private key SK of ONU oNUgenerate signature s according to the signature generating algorithm of NTRUSign oNU.Utilize key to derive algorithm and generate encryption key K=KD-HMAC-SHA256 (PSK, R oLT), with the certificate C of this encryption key K encryption ONU oNU, PKI PK oNU, random value R oNU, random parameter r 1and signature s oNUobtain ciphertext EM oNU.And utilize information frame M oNUby ciphertext EM oNUsend to OLT;
Step C:OLT receives the information frame M that ONU sends oNU, will extract the cipher-text information EM that in this frame, information field carries oNU.OLT utilizes key to derive algorithm and generates identical encryption key K=KD-HMAC-SHA256 (PSK, R oLT), decrypting ciphertext EM oNUobtain the certificate C of ONU oNUwith signature s oNU.First OLT verifies the certificate C of ONU oNU, be verified the PKI PK that uses ONU oNUaccording to the verification algorithm of NTRUSign, the signature of receiving is verified, be verified, ONU is legal.OLT private key SK oLTgenerate the signature s of OLT according to the signature generating algorithm of NTRUSign oLT.With encryption key K ciphering signature s oLTobtain ciphertext EM oLT.And utilize information frame M oLTby ciphertext EM oLTsend to ONU;
Step D:ONU receives the information frame M that OLT sends oLT, will extract the cipher-text information EM that in this frame, information field carries oLT.Decrypting ciphertext obtains the signature s of OLT oLT.With the PKI of OLT, according to the signature of the verification algorithm checking OLT of NTRUSign, after being verified, both sides negotiate session key.
Steps A is further comprising the steps:
A1, ONU choose two polynomial f first at random oNU∈ L fand g oNU∈ L g, then, according to PKI and the private key of the key schedule generation in NTRUSign Digital Signature Algorithm oneself, wherein PKI is PK oNU, private key SK oNUfor (f oNU, g oNU, F oNU, G oNU).The public private key pair that ONU storage oneself generates.
A2, generation random value R oNU, and by the PKI PK of ONU oNUwith random value R oNUthese two parameter series connection are carried out Hash variation and are obtained cryptographic Hash, and the private key that then utilizes ONU to generate is signed to cryptographic Hash, generates the certificate C of ONU oNU.The initialization of ONU end completes.
A3, OLT choose two polynomial f first at random oLT∈ L fand g oLT∈ L g, then, according to PKI and the private key of the key schedule generation in NTRUSign Digital Signature Algorithm oneself, wherein PKI is PK oLT, private key SK oLTfor (f oLT, g oLT, F oLT, G oLT).The public private key pair that ONU storage oneself generates.
A4, generation random value R oLT, and by the PKI PK of OLT oLTwith random value R oLTthese two parameter series connection are carried out Hash variation and are obtained cryptographic Hash, and the private key that then utilizes OLT to generate is signed to cryptographic Hash, generates the certificate C of ONU oLT.The initialization of OLT end completes.
Step B is further comprising the steps:
B1, OLT send authentication frame CERTIFICATION_GATE to ONU, have wherein carried the initiation parameter PK of OLT oLT, C oLT, R oLT.
B2, ONU, according to the legitimacy of the verification algorithm checking OLT certificate of NTRUSign signature algorithm, are verified and can generate random parameter r 1.
B3, calculating Q oNU=R oLT|| r 1, m=h (PK oNU|| Q oNU).Then information m is carried out to mould q computing, calculate multinomial (m 1, m 2).Then calculate by following two formula: G oNU* m 1-F oNU* m 2=A+q*B ,-g oNU* m 1+ f oNU* m 2=a+q*b, can obtain B parameter and b, last computing formula s oNU=f oNU* B+F oNU* b (modq), obtains the signature s of ONU oNU.
B4, utilize key to derive algorithm to generate encryption key K=KD-HMAC-SHA256 (PSK, R oLT), and calculate EM oNU=E (K, PK oNU, R oNU, C oNU, s oNU, r 1), utilize information frame M oNUby ciphertext EM oNUsend to OLT.
Step C is further comprising the steps:
C1, OLT receive information frame M oNUafter, first derive algorithm with key and calculate encryption key K=KD-HMAC-SHA256 (PSK, R oLT), the cipher-text information EM that then deciphering is received oNUobtain the certificate C of ONU oNU, the signature s of ONU oNUetc. information.
C2, OLT are according to the legitimacy of the verification algorithm checking ONU certificate of NTRUSign Digital Signature Algorithm.When certification authentication is passed through, in order to confirm random parameter r 1correctness and the legitimacy of checking ONU identity, OLT next step will be to the signature s of ONU oNUverify.
C3, OLT calculate Q oNU=R oLT|| r 1, m=h (PK oNU|| Q oNU), and information m is carried out to mould q computing, calculate multinomial (m 1, m 2).Then calculate t oNU=s oNU* PK oNU(mod q), if inequality || s oNU-m 1|| 2+ || t oNU-m 2|| 2≤ NormBound 2set up, the signature of ONU is that effectively the identity of ONU is legal.
The random value R that C4, OLT send ONU oNUsign and obtain the signing messages s of oneself oLT.Then calculate EM oLT=E (K, s oLT), and utilize information frame M oLTby ciphertext EM oLTsend to ONU.
Step D is further comprising the steps:
D1, ONU receive the information frame M that OLT sends oLT, will utilize encryption key K decrypting ciphertext EM oLTobtain the signing messages s of OLT oLT.
D2, ONU judge the validity of OLT signature according to the verification algorithm of NTRUSign Digital Signature Algorithm.Be verified, show that OLT is legal, two-way authentication success.
D3, OLT and ONU enter key agreement stage session key generation.OLT and ONU be calculating K respectively oLTONU=h (R oNU|| R oLT|| r 1) as the shared session key of they both sides.This session key can, for the encryption of follow-up data, ensure the safety of transfer of data.
The present invention has also defined 3 frames in mutual authentication process: authentication frame, information frame M oNU, information frame M oLT.Authentication frame (CERTIFICATION_GATE) is initiated verification process for the ONU to adding PON system, when ONU receives after this information, starts certification.The frame structure of authentication frame, as standard control frame, also has 6 byte MAC destination address field (DAF) DA, 6 byte mac source address field SA, the command code of 2 byte lengths/type field and 2 bytes.In information field, comprise the authentication marks field of 1 byte, and OLT issues 3 of ONU and has accounted for respectively authentication information (the certificate C of 2 bytes oLT, PKI PK oLT, random value R oLT), the reserved field of untapped 33 bytes, is filled to 0.Authentication marks field is for identifying the authentication state of current ONU.In the time that authentication marks field is the decimal system 1, represent that ONU is not certified, in the time that authentication marks field is 2, represent the certified mistake of current ONU, without the verification process that carries out again ONU.
Information frame M oNUframe structure and authentication frame similar, but information field is redefined, comprise the information EM of authentication marks field and 16 bytes of 1 byte oNU, unused portion, is filled to 0.In the time that being 1, authentication marks field means that OLT sends to the certificate C of ONU oLTbeing verified, is effectively legal; In the time that being 2, authentication marks field means that OLT sends to the certificate C of ONU oLTbe not verified, will stop authentication registration process.
Information frame M oLTframe structure and information frame M oNUsimilar, but information field is redefined, comprise the information EM of authentication marks field and 8 bytes of 1 byte oLT, unused portion, is filled to 0.In the time that authentication marks field is shown as 1, ONU signature authentication passes through, and ONU is legal; In the time that authentication marks are 2, ONU signature is not by certification, and ONU is illegal, authentication registration procedure failure, and OLT can stop the authentication registration of ONU, and ONU need re-start authentication registration process.What the destination address field (DAF) in this frame was deposited is the MAC Address of corresponding ONU, shows information frame M oLTtowards specific ONU, only send to the current ONU that is about to certification.
The invention has the advantages that: utilize signature generation and the signature verification efficiency of NTRUSign algorithm high, the advantage that operand is little, the two-way authentication mode based on NTRUSign of employing is set up two-way authentication between the OLT of PON system and ONU, effectively resisting various attacks, as spoof attack, Replay Attack, man-in-the-middle attack, known session key is attacked; After two-way authentication completes, OLT and ONU both sides have negotiated session key, and wherein session key is generated by random number, thereby have freshness and forward security, and can, by the data of this shared key encrypted transmission, prevent that data are stolen and distort; The present invention is also self-defined 3 frames in verification process, utilize this three frames, and certification both sides can know own current authentication state, have avoided repeating the situation of certification, save system resource.
Brief description of the drawings
Fig. 1 is the general flow chart of two-way authentication of the present invention;
Fig. 2 is OLT end identifying procedure figure of the present invention;
Fig. 3 is ONU end identifying procedure figure of the present invention;
Fig. 4 is the self-defined authentication frame frame structure of the present invention schematic diagram;
Fig. 5 is self-defined information frame M of the present invention oNUframe structure schematic diagram;
Fig. 6 is self-defined information frame M of the present invention oLTframe structure schematic diagram;
Embodiment
Further illustrate technical scheme of the present invention below in conjunction with accompanying drawing and by embodiment.The present invention is the certification having realized in registration process OLT and ONU, without additional designs authentication protocol, thereby does not need to increase extra cost.
Concrete scheme of the present invention is as follows:
Fig. 1 is the general flow chart of two-way authentication in the specific embodiment of the invention.As shown in Figure 1, two-way authentication flow process comprises the following steps:
Step 101, in the time that automatically discovery procedure starts, OLT can be periodically to DISCOVERY_GATE information of all ONU broadcast transmissions, has comprised time started and end time and the relevant system parameters of the window for registering in this information.
Step 102, want to add the ONU of system to wait until the beginning of own registration period, send REGISTER_REQ information to OLT, comprised the parameter such as ONU ranging information and own bandwidth of asking in registration information;
Step 103, OLT receive after the registration information of ONU transmission, through examining as effective information, can register this ONU.Then OLT sends registered frame to this ONU, has comprised at this frame the lock in time that OLT specifies.Send authentication frame (CERTIFICATION_GATE) to this ONU afterwards and inform that ONU starts verification process.
Step 104, ONU receive after the authentication information of OLT transmission, first verify the validity of OLT certificate, will generate the signing messages sONU of oneself, and this information is sent to OLT after being verified.OLT receives after information, the signature verification algorithm with NTRUSign algorithm is verified to judge to the legitimacy of ONU identity to the signature of ONU.
Step 105, be proved to be successful, can send to ONU the mandate frame (Normal_GATE) of standard, OLT also can generate the signing messages of oneself and send to ONU simultaneously, ONU receives after the signing messages of OLT transmission, signature to OLT is verified, if be proved to be successful, the identity that shows OLT is also legal.
Step 106, ONU complete in order to inform OLT authentication registration process, need to send registration confirmation (REGISTER_ACK) to OLT.Both sides negotiate shared session key simultaneously.
Fig. 2 is OLT end identifying procedure figure in the specific embodiment of the invention, and as shown in Figure 2, identifying procedure comprises the following steps:
When step 201, EPON system initialization, OLT holds in Discovery Status, periodically broadcast transmission DISCOVERY_GATE frame, and initialization information parameter (the certificate COLT of generation oneself, PKI PKOLT, random value ROLT), wait for the response of unregistered ONU.
Step 202, when sending REGISTER_REQ information to OLT after the DISCOVERY_GATE information that has ONU response OLT to send, OLT receives after this information, will verify this information.If effectively, OLT can accept the registration request of ONU, send registered frame (REGISTER) to ONU, send authentication frame (CERTIFICATION_GATE) to ONU simultaneously, initiate verification process, the certificate CONU that has comprised OLT in this frame, the information such as the PKI PKOLT of OLT, if attribute field is 1 in this frame, represent the not certified mistake of current ONU.
Step 203, OLT receive the information frame MONU that ONU sends, if the authentication marks field in this frame is 1, represent that the certification authentication of OLT is passed through.Start to calculate encryption key K, then decryption information EMONU obtains the information such as certificate CONU and signature sONU of ONU, starts the legitimacy of ONU to authenticate.
First step 204, OLT verify ONU certificate CONU.If certificate is legal, verify the signature sONU of ONU with the PKI PKONU of ONU.If the signature of ONU is by checking, the identity that shows ONU is legal.
After step 205, ONU authentication success, OLT will sign and generate signing messages sOLT random value RONU with the private key SKOLT of oneself.And guarantee the safety of its transmission with the signature that calculates the secret key K of the encryption of gained and encrypt OLT, and enciphered message EMOLT=E (K, sOLT) is sent to ONU by information frame MOLT.Wait for ONU certification response.If received the authentication registration confirmation REGISTER_ACK that ONU sends, and inform and completed the two-way authentication of ONU and OLT by OLT authentication success.
Fig. 3 is ONU end identifying procedure figure in the specific embodiment of the invention, and as shown in Figure 3, identifying procedure comprises the following steps:
When step 301, EPON system initialization, ONU is in wait state, waits for the beginning in oneself in cycle, adds EPON system to carry out authentication registration process.
Step 302, when ONU receives after the DISCOVERY_GATE frame that OLT periodic broadcast sends, activate registration process, and generate oneself initialization information parameter (certificate CONU, PKI PKONU, random value RONU).Then send information request to OLT and add EPON system.
Step 303, when ONU receive OLT send registered frame (REGISTER) and authentication frame (CERTIFICATION_GATE) after, will first judge the legitimacy of OLT certificate COLT entrained in authentication frame.If the result is legal, ONU also will generate a random parameter r1, calculates encryption key K simultaneously, and signs and obtain the signing messages sONU of oneself with private key SKONU.Finally encrypt the certificate CONU of ONU with encryption key K, PKI PKONU, random value RONU and signature sONU obtain ciphertext EMONU, and utilize this ciphertext of information frame MONU EMONU to send to OLT, wait for the authentication result of OLT to oneself.
Step 304, ONU receive the information frame MOLT that OLT sends, if the authentication marks field in this frame is 1, represent that the authentication of ONU is passed through.Decipher the signing messages sOLT of the cipher-text information EMOLT acquisition OLT receiving with encryption key K.
Step 305, ONU verify the signature sOLT of OLT according to the verification algorithm of NTRUSign signature algorithm with the PKI PKOLT of OLT.If signature verification is passed through, the identity of judging OLT is legal, and the authentication success of OLT has been successfully completed the two-way authentication of OLT and ONU, and sends REGISTER_ACK to OLT.Inform that OLT authentication registration completes.
According to the present invention, the method for authentication has required 3 frames self-defined according to mac frame, is respectively authentication frame (CERTIFICATION_GATE), information frame MONU, information frame MOLT.
Fig. 4 is the frame structure schematic diagram of the OLT authentication frame (CERTIFICATION_GATE) of issuing ONU.As shown in Figure 4, the authentication frame that the present invention uses has 6 byte MAC destination address field (DAF)s (DA), 6 byte mac source address fields (SA), the command code of 2 byte lengths/type field and 2 bytes.In information field, comprise the authentication marks field of 1 byte, and OLT issues 3 authentication informations (PKOLT, COLT, ROLT) of ONU, the reserved field of untapped 33 bytes, is filled to 0.In the time that authentication marks field is 1, represent that ONU is not certified, in the time that authentication marks field is 2, represent the certified mistake of current ONU, without the verification process that carries out again ONU.
Fig. 5 is the frame structure that ONU issues the information frame MONU of OLT.As shown in Figure 5, information frame MONU and the authentication frame structure of the present invention's definition are similar, but information field is redefined, and comprise the information EMONU of authentication marks field and 16 bytes of 1 byte, and unused portion, is filled to 0.In the time that being 1, authentication marks field means that OLT sends to the certificate C of ONU oLTbeing verified, is effectively legal; In the time that being 2, authentication marks field means that OLT sends to the certificate C of ONU oLTbe not verified, will stop authentication registration process.
Fig. 6 is the frame structure that OLT issues the information frame MOLT of ONU.As shown in Figure 6, information frame MOLT and the authentication frame structure of the present invention's definition are similar, and information field is redefined, and comprise the information EMOLT of authentication marks field and 8 bytes of 1 byte, and unused portion, is filled to 0.In the time that authentication marks field is shown as 1, ONU signature authentication passes through, and ONU is legal; In the time that authentication marks are 2, ONU signature is not by certification, and ONU is illegal, authentication registration procedure failure, and OLT can stop the authentication registration of ONU, and ONU need re-start authentication registration process.What the destination address field (DAF) in this frame was deposited is the MAC Address of corresponding ONU, shows that information frame MOLT is towards specific ONU, only sends to the current ONU that is about to certification.

Claims (5)

1. the method based on NTRUSign EPON access two-way authentication, is characterized in that, said method comprising the steps of:
Steps A: the local side OLT of PON system and user's side ONU utilize the key schedule of NTRUSign signature algorithm to generate public and private key separately, and C Generates Certificate simultaneously oNU/ C oLTand random value R oNU/ R oLT;
Step B:OLT sends self-defining authentication frame CERTIFICATION_GATE to ONU, and the control frame of this frame and standard is the same also 64 bytes, has carried the PKI PK of the OLT that has occupied respectively 2 bytes in the information field of this frame oLT, certificate C oLTand random value R oLT; The certificate C of ONU checking OLT oLT, after being verified, generate random parameter r 1, and with the private key SK of ONU oNUgenerate signature s according to the signature generating algorithm of NTRUSign oNU; Utilize key to derive algorithm and generate encryption key K, encrypt the certificate C of ONU with this encryption key K oNU, PKI PK oNU, random value R oNU, random parameter r 1and signature s oNUobtain ciphertext EM oNU; And utilize information frame M oNUby ciphertext EM oNUsend to OLT;
Step C:OLT receives the information frame M that ONU sends oNU, will extract the cipher-text information EM that in this frame, information field carries oNU; OLT utilizes key to derive algorithm and generates identical encryption key K, decrypting ciphertext EM oNUobtain the certificate C of ONU oNUwith signature s oNU; First OLT verifies the certificate C of ONU oNU, be verified the PKI PK that uses ONU oNUaccording to the verification algorithm of NTRUSign, the signature of receiving is verified, be verified, ONU is legal; OLT private key SK oLTgenerate the signature s of OLT according to the signature generating algorithm of NTRUSign oLT; With encryption key K ciphering signature s oLTobtain ciphertext EM oLT, and utilize information frame M oLTby ciphertext EM oLTsend to ONU;
Step D:ONU receives the information frame M that OLT sends oLT, will extract the cipher-text information EM that in this frame, information field carries oLT; Decrypting ciphertext obtains the signature s of OLT oLT; With the PKI of OLT, according to the signature of the verification algorithm checking OLT of NTRUSign, after being verified, both sides negotiate session key.
2. the method based on NTRUSign EPON access two-way authentication according to claim 1, is characterized in that: self-defined 3 frames in verification process are respectively authentication frame, information frame M oNU, information frame M oLT; These three frames are all to design on the basis of standard control frame, and wherein in original information territory, untapped 40 bytes have been carried out self-defined; Authentication frame CERTIFICATION_GATE is self-defined 7 bytes, information frame M oNUself-defined 17 bytes, information frame M oLTself-defined 9 bytes, these three frames are for transmitting the authentication information of OLT and ONU, guarantee highly effective and safe complete verification process.
3. according to the method based on NTRUSign EPON access two-way authentication described in claim 1,2, it is characterized in that: self-defining authentication frame in verification process, this frame, for the ONU that will add PON system is initiated to verification process, when ONU receives after this information, starts certification; The frame structure of authentication frame, as standard control frame, also has 6 byte MAC destination address field (DAF) DA, 6 byte mac source address field SA, the command code of 2 byte lengths/type field and 2 bytes; In information field, comprise the authentication marks field of 1 byte, and OLT issues 3 authentication informations that respectively account for 2 bytes of ONU, be respectively certificate C oLT, PKI PK oLTwith random value R oLT, the reserved field of remaining untapped 33 bytes, is filled to 0; Authentication marks field is for identifying the authentication state of current ONU; In the time that authentication marks field is the decimal system 1, represent that ONU is not certified, in the time that authentication marks field is 2, represent the certified mistake of current ONU, without the verification process that carries out again ONU.
4. according to the method based on NTRUSign EPON access two-way authentication described in claim 1,2, it is characterized in that: self-defined information frame M in verification process oNU, this frame is the key message that ONU issues OLT, has wherein comprised the signature s to ONU oNU, random parameter r 1, certificate C oNU, PKI PK oNUand random value R oNUciphertext EM after encryption oNU, facilitate OLT to authenticate ONU; Information frame M oNUframe structure and authentication frame similar, but information field is redefined, comprise the information EM of authentication marks field and 16 bytes of 1 byte oNU, the remaining reserved field that does not use 23 bytes, is filled to 0; In the time that being 1, authentication marks field means that OLT sends to the certificate C of ONU oLTbeing verified, is effectively legal; In the time that being 2, authentication marks field means that OLT sends to the certificate C of ONU oLTbe not verified, will stop authentication registration process.
5. according to the method based on NTRUSign EPON access two-way authentication described in claim 1,2, it is characterized in that: self-defined information frame M in verification process oLT, this frame is the key message that OLT issues ONU, has wherein comprised the signature s to OLT oLTciphertext EM after encryption oLT, ONU judges the legitimacy of OLT identity by verifying this information; Information frame M oLTframe structure and information frame M oNUsimilar, but information field is redefined, comprise the information EM of authentication marks field and 8 bytes of 1 byte oLT, the remaining reserved field that does not use 31 bytes, is filled to 0; In the time that authentication marks field is shown as 1, ONU signature authentication passes through, and ONU is legal; In the time that authentication marks are 2, ONU signature is not by certification, and ONU is illegal, authentication registration procedure failure, and OLT can stop the authentication registration of ONU, and ONU need re-start authentication registration process; What the destination address field (DAF) in this frame was deposited is the MAC Address of corresponding ONU, shows information frame M oLTtowards specific ONU, only send to the current ONU that is about to certification.
CN201410178038.8A 2014-04-30 2014-04-30 Mutual authentication method based on NTRUSign passive optical network access Pending CN103905209A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN201410178038.8A CN103905209A (en) 2014-04-30 2014-04-30 Mutual authentication method based on NTRUSign passive optical network access

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN201410178038.8A CN103905209A (en) 2014-04-30 2014-04-30 Mutual authentication method based on NTRUSign passive optical network access

Publications (1)

Publication Number Publication Date
CN103905209A true CN103905209A (en) 2014-07-02

Family

ID=50996366

Family Applications (1)

Application Number Title Priority Date Filing Date
CN201410178038.8A Pending CN103905209A (en) 2014-04-30 2014-04-30 Mutual authentication method based on NTRUSign passive optical network access

Country Status (1)

Country Link
CN (1) CN103905209A (en)

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN105357182A (en) * 2015-10-08 2016-02-24 国网天津市电力公司 Encryption authentication method based on multi-service carrying EOPN registration process
CN105592040A (en) * 2015-07-29 2016-05-18 杭州华三通信技术有限公司 Security registration method and equipment for implementing ONU in EPON
WO2016176902A1 (en) * 2015-05-06 2016-11-10 宇龙计算机通信科技(深圳)有限公司 Terminal authentication method, management terminal and application terminal
CN107919917A (en) * 2017-12-29 2018-04-17 武汉长光科技有限公司 A kind of method for preventing illegal ONU registrations from reaching the standard grade
CN109274489A (en) * 2018-09-25 2019-01-25 重庆邮电大学 Authentication key negotiation method under TWDM-PON system
WO2022062948A1 (en) * 2020-09-22 2022-03-31 华为技术有限公司 Secure communication method and apparatus for passive optical network

Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
US20110302283A1 (en) * 2010-06-03 2011-12-08 Niclas Nors Methods And Arrangements In A Passive Optical Network
CN103200161A (en) * 2012-01-10 2013-07-10 上海贝尔股份有限公司 Optical network unit (ONU) identity authentication method in gigabit passive optical network (GPON)

Patent Citations (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101662705A (en) * 2009-10-19 2010-03-03 国网信息通信有限公司 Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
US20110302283A1 (en) * 2010-06-03 2011-12-08 Niclas Nors Methods And Arrangements In A Passive Optical Network
CN103200161A (en) * 2012-01-10 2013-07-10 上海贝尔股份有限公司 Optical network unit (ONU) identity authentication method in gigabit passive optical network (GPON)

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
殷爱菡: "基于NTRU 公钥密码体制的无线通信协议", 《电视技术》 *
殷爱菡: "基于NTRU 的EPON 认证方案研究", 《光通信技术》 *

Cited By (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2016176902A1 (en) * 2015-05-06 2016-11-10 宇龙计算机通信科技(深圳)有限公司 Terminal authentication method, management terminal and application terminal
CN105592040A (en) * 2015-07-29 2016-05-18 杭州华三通信技术有限公司 Security registration method and equipment for implementing ONU in EPON
CN105592040B (en) * 2015-07-29 2018-11-09 新华三技术有限公司 The secure registration method and apparatus of ONU is realized in EPON
CN105357182A (en) * 2015-10-08 2016-02-24 国网天津市电力公司 Encryption authentication method based on multi-service carrying EOPN registration process
CN107919917A (en) * 2017-12-29 2018-04-17 武汉长光科技有限公司 A kind of method for preventing illegal ONU registrations from reaching the standard grade
CN109274489A (en) * 2018-09-25 2019-01-25 重庆邮电大学 Authentication key negotiation method under TWDM-PON system
CN109274489B (en) * 2018-09-25 2021-05-28 重庆邮电大学 A kind of authentication key agreement method under TWDM-PON system
WO2022062948A1 (en) * 2020-09-22 2022-03-31 华为技术有限公司 Secure communication method and apparatus for passive optical network
CN114302264A (en) * 2020-09-22 2022-04-08 华为技术有限公司 Secure communication method and device in passive optical network
CN114302264B (en) * 2020-09-22 2025-12-05 华为技术有限公司 A secure communication method and apparatus in a passive optical network

Similar Documents

Publication Publication Date Title
US8001381B2 (en) Method and system for mutual authentication of nodes in a wireless communication network
US9515825B2 (en) Method for password based authentication and apparatus executing the method
US9106635B2 (en) System and method for connecting client devices to a network
CN101662705B (en) Equipment authentication method of Ethernet passive optical network (EPON) and system thereof
CN101902476B (en) Method for authenticating identity of mobile peer-to-peer user
CN105721153B (en) Key exchange system and method based on authentication information
CN103188080B (en) A kind of machinery of consultation of key authentication end to end of identity-based mark and system
US20160330179A1 (en) System and method for key exchange based on authentication information
JP2000083018A (en) Method for transmitting information needing secrecy by first using communication that is not kept secret
CN103491540A (en) Wireless local area network two-way access authentication system and method based on identity certificates
CN103905209A (en) Mutual authentication method based on NTRUSign passive optical network access
CN108964897B (en) Identity authentication system and method based on group communication
CN113630248A (en) A session key negotiation method
US9038143B2 (en) Method and system for network access control
CN101577620A (en) Authentication method of Ethernet passive optical network (EPON) system
CN102413463A (en) Wireless media access layer authentication and key agreement method for filling variable sequence length
CN117278330A (en) A lightweight networking and secure communication method for power Internet of Things equipment network
CN103856463A (en) Lightweight directory access protocol realizing method and device based on key exchange protocol
CN119788426B (en) A distributed privacy computing network node management method and system
CN113676330B (en) Digital certificate application system and method based on secondary secret key
CN113676448B (en) Offline equipment bidirectional authentication method and system based on symmetric key
KR100553792B1 (en) Communication device and method with terminal-to-terminal authentication
CN118157859A (en) A device security communication method and device based on national secret security chip
US10608826B2 (en) Method for authenticating attributes in a non-traceable manner and without connection to a server
US8769280B2 (en) Authentication apparatus and method for non-real-time IPTV system

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
WD01 Invention patent application deemed withdrawn after publication
WD01 Invention patent application deemed withdrawn after publication

Application publication date: 20140702