1. Field of the Invention
The present invention relates to a gigabit Ethernet-based passive optical network including an optical line terminal (OLT) provided in a service provider-side and a plurality of optical network terminals (ONT) provided in a user-side, and more particularly to an encryption method for data security between the OLT and the plurality of ONTs.
2. Description of the Related Art
Currently, large quantities of data can be shared in an online state owing to expansion of public networks such as various wireless networks and an ultra-high speed communication network. Data sharing in an offline state is widely used through high capacity storage media such as CDs and DVDs. In this way, users can receive numerous types of data shared online and offline. However, security systems for such online and offline data sharing systems are generally weak.
A passive optical network (hereinafter, referred to as a PON) is a communication network system that transmits signals to an end-user through an optical cable network. The PON includes one OLT installed on a communication company and a plurality of ONTs installed in a subscriber's premise. In general, a maximum of 32 ONTs can be connected to one OLT.
The PON can provide each UE (user) with 622 Mbps of bandwidth in downstream transmission and 155 Mbps of bandwidth in upstream transmission, which can be assigned to a plurality of users utilizing the PON. The PON can be used as a trunk between a large scale system such as a cable TV system and a nearby building, or between a large scale system and an Ethernet network for a household using a coax cable.
The OLT transmits a corresponding signal to the ONT through an optical cable. The ONT receives the signal transmitted from the OLT, processes the received signal, and then transmits the processed signal to an end-user. The ONT, which is a transport system in a service subscriber-side, constitutes terminating equipment in an optical communication network that provides a service interface to an end-user.
The ONT services a fiber to the curb (FTTC), a fiber to the building (FTTB), a fiber to the floor (FTTF), a fiber to the home (FTTH) and a fiber to the office (FTTO), etc. Therefore, the ONT is required to provide high service accessibility for users. The ONT connects a cable, which is connected to a subscriber and which transmits an analog signal transmitted from the subscriber, to optical facilities that are connected to the OLT and transceive optical signals.
In this way, the ONT converts an optical signal transmitted from the OLT into an electric signal (photoelectric conversion), and transmits the converted signal to a subscriber. In addition, the ONT converts an electric signal transmitted from a subscriber into an optical signal (electrooptic conversion), and transmits the converted signal to the OLT.
FIG. 1 is a block diagram showing a downstream transmission structure of data in a Gigabit Ethernet-PON, and FIG. 2 is a block diagram showing an upstream transmission structure of data in the Gigabit Ethernet-PON.
As shown in FIGS. 1 and 2, the Gigabit Ethernet-PON (hereinafter, referred to as a GE-PON) has a tree structure in which one OLT 10 is connected to a plurality of ONTs 20, 22 and 24 through an optical coupler 15. Using the GE-PON, a cost-effective subscriber network can be constructed as compared to an activity-on-node (AON).
The first type of GE-PON standardized was an asynchronous transfer mode passive optical network (hereinafter, referred to as an ATM-PON). ATM cells are transmitted upstream or downstream in the form of blocks each of which consists of a predetermined number of ATM cells. In contrast, in an Ethernet-PON (hereinafter, referred to as an E-PON), packets having different sizes are transmitted in the form of blocks, each of which includes a predetermined number of packets. Accordingly, the E-PON has a more complex control structure in contrast to the ATM-PON.
The downstream transmission of data will be described with reference to FIG. 1. In the case of the downstream transmission, the OLT 10 broadcasts data to be transmitted to the ONTs 20, 22 and 24. When the data transmitted from the OLT 10 is received, the optical coupler 15 transmits the received data to each of the ONTs 20, 22 and 24. Each of the ONTs 20, 22 and 24 detects data that is to be transmitted to each of users 30, 32 and 34 from the data transmitted from the optical coupler 15. Then, each of the ONTs 20, 22 and 24 transmits only detected data to each of users 30, 32 and 34.
The upstream transmission of data will be described with reference to FIG. 2. In the case of the upstream transmission, data transmitted from each of the users 30, 32 and 34 is transmitted to each of the ONTs 20, 22 and 24. Each of the ONTs 20, 22 and 24 transmits the data transmitted from the users 30, 32 and 34 to the optical coupler 15 when transmission permission is promised by the OLT 10. In this case, each of the ONTs 20, 22 and 24 transmit upstream each data received during time set by a time division multiplexing (TDM) method. Accordingly, data collision according to upstream transmission of data does not occur in the optical coupler 15.
With the development of Internet technology, service subscribers have required data services which need larger bandwidths and have been attracted to an end-to-end transmission using Gigabit Ethernet technology which is relatively low-priced and can secure a higher bandwidth in comparison to the ATM technology which requires relatively expensive equipment, has limitation in the bandwidth, and must perform segmentation of IP packets. Thus, even in a PON structure of a subscriber network, the Ethernet type is required rather than the ATM.
In a packet protocol data unit (hereinafter, referred to as PDU), an encryption method used in the ATM-PON. An encryption key having a size of 24 bytes is used as a churning key. Since the method has encryption ability that enables a value of a key to be updated each second and uses a relatively simple algorithm, it is used so that high-speed support may be performed in an ATM-PON having a speed of 622 Mbps. Periodically updated values of a key are generated in an ONT, inserted into a payload portion in an operation, administration and maintenance (hereinafter, referred to as an OAM) cell, and then transmitted to each OLT.
The packet PDU encryption method includes data over cable service interface specification (DOCSIS) method using a data encryption standard with cipher block chaining (DES-CBC) encryption method in addition to the churning method.
In the case of the ATM-PON, a churning key of 3 bytes is inserted into the OAM cell owing to both limitation of encryption technology and possibility of high-speed support, but it causes a limitation in the ability of the encryption key itself.
Since the GE has a faster speed than the ATM-PON (e.g., 622 Mbps), it is inefficient for the GE to use the encryption method of the ATM-PON. Key period in the DOCSIS using the DES-CBC encryption method must be repeated every 12 hours so that authorized wiretapping by malicious users can be prevented.
Accordingly, when the DES-CBC encryption method is applied to the GE-PON, the application may aggravate inefficiency to an OLT, which must manage a plurality of ONTs in a point-to-multipoint structure. Further, since the GE-PON has a point-to-multipoint structure, which is relatively vulnerable to encryption, the encryption problem of user data transmitted through an upstream/downstream link is significant. Accordingly, a powerful and efficient encryption key method must be selected and effectively used. However, standardization with respect to an encryption method of the GE-PON and key management scheduling scheme is just being developed in IEEE 802.3ah, and it is in a state in which a packet format has not been decided yet.