1. Field of the Invention
The present invention relates to a gigabit-capable passive optical network (GPON), and more particularly, to a system and a method for providing a secured transmission through an authenticated encryption for each optical network unit (ONU) in downlink transmission of an optical line terminal (OLT) in GPON.
2. Description of the Related Art
Recently, International Telecommunication Union (ITU)-T G.984 group standardizes the specifications of a gigabit-capable passive optical network (GPON) for effectively transmitting an asynchronous transfer mode (ATM) cell, an Ethernet frame and a time-division multiplexing (TDM) packet through a passive optical network (PON) based subscriber access network and providing a maximum 2.5 Gbps bandwidth. The GPON is capable of providing a TDM service and an E1/T1 service, a plain old telephone service (POTS) using a frame based transmission scheme (125 μs cycle (8 KHz)), which is a same transmission scheme used by a synchronous optical network (SONET). The GPON also has a capability of providing a high quality broadcasting service and an Internet protocol (IP) data service through 2.5 Gpbs wide bandwidth. Such GPON is widely used in US and Europe as a replacement of an ATM PON (APON).
In a GPON system, an optical distributor receives optical signals transmitted based on a TDM scheme from single optical line terminal (OLT) and distributes the received optical signals to a plurality of optical network units (ONU). Since the conventional GPON system has a broadcast characteristic for downlink transmission, downlink frames are transmitted from the one OLT to the all ONUs in the GPON system. Accordingly, the ONU of the GPON system is designed to receive frames of their own by filtering transmitting frames. However, such a design of the ONU has a shortcoming. If a subscriber may illegally obtain valuable information transmitted to other ONUs by simply modifying a portion of the subscriber's ONU that filters the transmitting frames.
In order to hide information from being seen by other ONUs, the current GPON standard defines specifications to encrypt a payload of a service data based on a 128 bits counter (CRT)-advanced encryption standard (AES). However, the current GPON standard fails to define specifications to protect valuable information in a frame header such as a physical layer OAM (PLOAM) and bandwidth allocation (BA). Therefore, such valuable information in the frame header may be opened or easily modified to/by unauthorized ONUs and may be used by the unauthorized ONUs to disturb other ONUs with a harmful intention.
FIG. 1 is a block diagram illustrating a GPON system for providing an encryption function for encrypting a payload according to the related art.
Referring to FIG. 1, the GPON system according to the related art includes an optical line terminal (OLT) 11 for receiving data from an external service provider, transforming the received data to single optical signal and transmitting the optical signal, and receiving uplink data from a plurality of ONUs 12 and transmitting the received uplink data to an external unit; and the ONU 12 as a user side device for receiving an optical signal provided from the OLT 11, converting the received optical signal to an electric signal and providing the electric signal to a user.
In order to create uplink/downlink data, the OLT 11 includes: a header generator 101 for generating a frame header by receiving a dynamic bandwidth allocation (DBA) having bandwidth allocation information and a PLOAM to transmit PLOAM information; a payload generator 102 for receiving an ATM service data unit (SDU) and a GEM service data unit (SDU) and independently processing them; a payload encrypter 103 for receiving the ATM base-processed payload and the GEM base-processed payload data and encrypting the received payload data, separately; a multiplexer 104 for multiplexing the header created by the header generator 101 and the payloads encrypted by the payload encrypter 103 to create one downlink signal; and an electric-optical converter 105 for converting the downlink signal to an optical signal.
The header generator 101 generates a frame header including a DBA information denoting uplink band information of the ONUs 12, a PLOAM denoting network control and management information, a synchronization pattern information, a GTC downlink frame counter, a FEC setting information and a frame payload length information.
The payload generator 102 includes an ATM partition module for receiving and processing an ATM service data unit (SDU) from an external service provider and a GEM partition module for receiving and processing a GEM service data unit (SDU) from an external service provider. The ATM partition module of the payload generator 102 processes an ATM cell configured of a 5-byte of ATM header and a 48-byte of payload. The GEM partition module process a GEM frame configure of a 5-byte of GEM header and a payload having variable length shorter than 4095 bytes.
The payload encrypter 103 performs a 128-bit CTR-AES block encryption. That is, the payload encrypter 103 generates a 46-bit crypto-counter by combining a 30-bit GTC downlink frame counter and a 16-bit block counter and generates a 138-bit random encryption counter by connecting three of the 46-bit crypto-counters. Then, the payload encrypter 103 deletes uppermost 10 bits of the generated 138-bit random encryption counter and uses the remained 128-bit encryption block counter for the encrypting. Herein, the 30-bit GTC downlink frame counters increases by one when the frame is transmitted to downlink. Also, the 16-bit block counter increases a counter by four bytes and is initialized as ‘0’ when one GTC downlink frame is transmitted. The 128-bit encryption key used in the payload encrypter 103 is generated from each of the ONUs 12 and is received by the OLT 11's request.
As described above, if the payload encrypter 103 encrypts the 128-bit encryption block counter value using the 128-bit ONU key transmitted from each of the ONUs 12, the payload is encrypted by performing an exclusive-OR on the 128-payload block with the encrypted value. The encrypted payloads are transmitted to the multiplexer 104, and the multiplexer 104 generates the GTC downlink frame by multiplexing the frame header from the header generator 101 and the encrypted payload.
Then, the generated GTC downlink frame is converted to an optical signal through the electric-optical converter 105, and the optical signal is transmitted to each of the ONUs 12.
While generating the GTC downlink frame, the frame header 120 generated at the header generator 101 is included in the GTC downlink frame after processing the frame header 120 based on an In-band scheme without encrypting. Therefore, the GTC downlink frame is transmitted to the ONUs 12 with the GTC downlink frame payload 130 encrypted without encrypting the GTC downlink frame header 120.
Meanwhile, the optical network unit (ONU) 12 includes: an optical-electric converter 106 for receiving the GTC downlink frame that is an optical signal and converting the GTC downlink frame to an electric signal; a de-multiplexer 107 for de-multiplexing the electric GTC downlink frame to a header and a payload; a header processor 110 for receiving the frame header from the de-multiplexer 107 and processing the frame header; a payload decrypter 108 for receiving the payload from the de-multiplexer 107 and decrypting the payload; and a payload processor 109 for processing the decrypted payload.
The payload decrypter 108 performs a corresponding function to the payload encrypter 103 in the OLT 11. That is, the payload decrypter 108 decrypted the ATM cell and the GEM frame encrypted in the payload encrypted 103.
The payload processor 109 includes the ATM partition module and the GEM partition module. The ATM partition module processes the 53-byte ATM cell configured of the 5-byte ATM header and the 48-byte payload. The GEM partition module processes the GEM frame configured of the 5-byte GEM header and the payload having a variable length shorter than 4095-byte.
FIG. 2 is a conceptual view illustrating a possible hacking attempt made on a GPON system providing an encryption function for encrypting a payload according to the related art.
Referring to FIG. 2, the possible hacking attempt to a GTC downlink frame of the conventional GPON system is generally classified into four types.
As a first hacking type, a hacker 204 may illegally obtain information from GTC downlink frames 201 transmitted to all of ONUs 207, 210 and 211 by the trespassing a common link S200 between an OLT 200 and an optical splitter 209 that optically distributes the optical signal from the OLT 200 to all of the ONUs 207, 210 and 211. Herein, the GTC downlink frames 201 are hacked through modifying, intercepting or monitoring. Although the hacker 204 successfully hacks the GTC downlink frames 201, the hacker 204 cannot hack the payload 201 of the GTC download frame because the payload 201 is encrypts. However, valuable information in the header such as PLOAM information 202 and DBA information 203 may be outflow by the. Such a first hacking attempt type must cut the link S200 to trespass. Therefore, it is a very difficult hacking method for a normal person. However, there are great possibilities that the conventional GPON system may be hacked by experts using the first hacking type.
As a second type of hacking attempt, a hacker 205 may obtain the valuable information 202 and 203 through an encryption attack such as modifying, interrupting and monitoring the GTC downlink frames 201 transmitted to the ONU 207 by accessing a link S201 between the splitter 209 and the ONU 207. The second hacking attempt type must also trespass the link S200. Therefore, it is a very difficult hacking method for a normal person. However, there are great possibilities that the conventional GPON system may be hacked by experts using the second hacking type.
As a third type of hacking attempt, a hacker 206 creates a fraud ONU 207 and obtains information transmitted to other ONU 210 without filtering by simple modification of program. Such a third hacking method uses the fraud ONU 211 acting like the real ONU 210 or disturbs uplink transmission of the real ONU 210.
As a fourth type of hacking attempt, a hacker 207 hacks the GPON system by accessing a remained port of a splitter 209 between the OLT 200 and the ONU 211 or receives the GTC downlink frame without filtering by adding a splitter 208 to a link between the splitter 209 and the ONU 211. In the fourth hacking method, the hacker 207 acts like a real ONU 211 or disturb uplink transmission of the real ONU 211. Since the fourth hacking method can intercept an encryption key transmitted from the ONU 211 through the uplink, the hacker 207 may obtain the encrypted data in the frame. Therefore, the fourth hacking method may be lethal to cause great damage.
Therefore, there are great demands of authenticated encryption for GTC downlink frames in the GPON system and a method for protecting the GTC downlink frames from the unauthenticated ONUs to open the valuable information.