 apparatus and method to provide improved security in passive optical network system
专利摘要:
NETWORK COMPONENT, APPARATUS AND METHOD. A network component (500) comprising at least one processor (502) coupled to a memory and configured to exchange security information using a plurality of attributes (220) in a management entity (ME) in a unit of optical network (UN) (120, 200) through a UN management control interface channel (OMCI), in which the ME supports a plurality of security functions that protect upstream transmissions between the UN ( 120, 200) and an optical line terminal (OLT) (110). Also included is an apparatus comprising a ONU (120, 200) configured to couple to an OLT (110) and comprising an OMCI ME, wherein the OMCI ME comprises a plurality of attributes (220) that support a plurality of security features for upstream transmissions between the UN (120, 200) and the OLT (110), and where the attributes (220) are communicated through an OMCI channel between the UN (120, 200) and the OLT (110) and provide the security features for the UN (120, 200) and the OLT (110). 公开号:BR112012008062B1 申请号:R112012008062-8 申请日:2010-07-31 公开日:2021-04-20 发明作者:Frank J. Effenberger 申请人:Huawei Technologies Co., Ltd.; IPC主号:
专利说明:
CROSS REFERENCE TO RELATED PATENT APPLICATIONS [0001] The present patent application claims priority to Provisional Patent Application US 61/230,520, filed on July 31, 2009, and Non-Provisional Patent Application US US12/844173, filed on July 27, 2009, which are hereby incorporated by reference as if reproduced in their entirety. BACKGROUND [0002] A passive optical network (PON) is a system for providing network access in the "last mile". A PON is a point-to-point network comprised of an optical line terminal (OLT) at the central office, an optical distribution network (ODN), and a plurality of optical network units (ONUs) at the customer's premises. Downstream data transmissions are broadcast to all ONUs, while upstream data transmissions are transmitted to the OLT using time division multiple access (TDMA) or wave division multiple access (WDMA). PON systems, such as Gigabit PONs (GPONs), may support some security features to protect user data, for example, for downstream broadcast. For example, broadcast transmissions from the OLT to the UN can be encrypted. SUMMARY [0003] In one embodiment, the disclosure includes a network component comprising at least one processor coupled to a memory and configured to exchange security information using a plurality of attributes in a management entity (ME) at a ONU by means of a UN Management Control Interface (OMCI) channel, where the ME supports a plurality of security functions that protect upstream transmissions between the UN and an OLT. [0004] In another embodiment, the disclosure includes an apparatus comprising a ONU configured to couple to an OLT and comprising an OMCI ME, wherein the OMCI ME comprises a plurality of attributes that support a plurality of features for upstream transmissions between the UN and the OLT, and where the attributes are communicated through an OMCI channel between the UN and the OLT and provide the security features for the UN and the OLT. [0005] In yet another embodiment, the disclosure includes a method comprising exchanging a plurality of security attributes with a ONU using an OMCI channel, thereby providing a plurality of security features for UN upstream communications, wherein the attributes are exchanged without modifying a physical layer operation, administration, and management (PLOAM) channel between an OLT and the ONU. [0006] These and other features will be more clearly understood from the detailed description below considered together with the attached drawings and embodiments. BRIEF DESCRIPTION OF THE DRAWINGS [0007] For a more complete understanding of this disclosure, reference is now made to the following brief description, taken in connection with the accompanying drawings and the detailed description, in which like reference numerals represent like parts. FIG. 1 is a schematic diagram of a PON modality. FIG. 2 is a schematic diagram of a modality of a ONU. FIG. 3 is a protocol diagram of an embodiment of an authentication message exchange sequence. FIG. 4 is a schematic diagram of one modality of a plurality of UN states. FIG. 5 illustrates a schematic diagram of an embodiment of a general purpose computer system. DETAILED DESCRIPTION [0008] It is to be understood in principle that although an illustrative implementation of one or more modalities is provided below, the disclosed systems and/or methods may be implemented using any number of techniques, either currently known or in existence. The disclosure shall in no way be limited to the illustrative implementations, drawings, and techniques illustrated below, including the exemplary designs and implementations illustrated and described herein, but may be modified within the scope of the attached embodiments along with their full scope of equivalents. [0009] In PON systems, broadcasts broadcast downstream from the OLT to the UN can be susceptible to security threats, such as a 'eavesdropping threat' that can be attempted by a user with malicious intent. For example, an unauthorized user may attempt to receive channels and/or slots without authorization from the OLT. To overcome such security threats, downstream broadcasts are typically encrypted. Upstream transmissions can also be encrypted. However, upstream transmissions can be more secure than broadcast downstream transmissions as legitimate or authorized ONUs cannot receive upstream transmissions from other ONUs due to the physical architecture of the PON and the directional nature of the optical signals. Therefore, privileged information is typically transmitted upstream of the ONUs in clear text format, for example unencrypted. However, intensified attack methods, such as making clandestine connections in optical transmission cables, can still present security concerns in PON systems. Thus, security enhancements for downstream and/or upstream transmissions in PON systems may be desired, for example, to protect encryption keys and/or other password information. [00010] Means to provide some security enhancements have been proposed previously, but typically require modifying the PLOAM channel. Since PLOAM processing commonly takes place at the physical layer, modifying the PLOAM channel may involve upgrading hardware in a plurality of network components, for example at the ONU and/or OLTs. The PLOAM channel may not be easily modified through software and may require remote field installations to upgrade hardware in system components. Therefore, previously proposed security improvements based on modifying the PLOAM channel may not be practical or cost-effective. [00011] Revealed here is a method and system for providing enhanced security in PON systems. Security can be improved by exchanging security parameters and data using an OMCI channel that can be used to provide a plurality of security features. The security features provided may comprise security capability discovery, ONU authentication, OLT authentication, key privacy, or combinations thereof. Security features can be supported by communicating a plurality of corresponding attributes on the OMCI channel. Attributes can be added to the OMCI channel using an OMCI ME. Security features can be provided by OMCI through software implementations, and thus can be extensible or updated without substantial difficulty to accommodate system changes. As such, security features can be provided without substantial changes or modifications to the PLOAM channel. [00012] FIG. 1 illustrates an embodiment of a PON 100. The PON 100 may comprise an OLT 110, a plurality of ONUs 120, and an ODN 130 that may be coupled to the OLT 110 and ONUs 120. The PON 100 may be a communications network which do not require any active components to distribute data between the OLT 110 and ONUs 120. Otherwise, the PON 100 can use the passive optical components in ODN 130 to distribute data between the OLT 110 and ONUs 120. The PON 100 can be a next generation access (NGA) system, such as a ten Gigabits per second (Gbps) GPON (or XGPON) which can have a downstream bandwidth of about ten Gbps and an upstream bandwidth of at least about 2.5 Gbps. Other examples of suitable PONs 100 include asynchronous transfer mode PON (APON) and broadband PON (BPON) defined by the International Telecommunications Union Telecommunications Standardization Sector (ITU-T) G.983 standard, the GPON defined by the ITU standard -T G.984, Ethernet PON (EPON) defined by Electrical and Electronics Engineers (IEEE) 802.3ah standard, 10G-EPON defined by IEEE 802.3av standard, and PON Length Division Multiplexed (WDM) (WPON) , all of which are hereby incorporated by reference as if reproduced in their entirety. [00013] In one embodiment, the OLT 110 can be any device that is configured to communicate with ONUs 120 and another network (not shown). Specifically, the OLT 110 can act as an intermediary between the other network and the ONUs 120. For example, the OLT 110 can forward the data received from the network to the ONUs 120, and forward the data received from the ONUs 120 to another network. Although the specific configuration of the OLT 110 may vary depending on the type of PON 100, in one embodiment, the OLT 110 may comprise a transmitter and a receiver. When the other network is using a network protocol such as Ethernet or Synchronous Optical Network Management (SONET)/Synchronous Digital Hierarchy (SDH), which is different from the PON protocol used in the PON 100, the OLT 110 can comprise a converter which converts the network protocol into the PON protocol. The OLT 110 converter can also convert PON protocol into network protocol. The OLT 110 may typically be located in a central location, such as a central office, but it may be located in other locations as well. [00014] In one embodiment, ONUs 120 can be any devices that are configured to communicate with the OLT 110 and the client or user (not shown). Specifically, ONUs can act as an intermediary between the OLT 110 and the client. For example, ONUs 120 can forward data received from OLT 110 to the client, and forward data received from the client to OLT 110. Although the specific configuration of ONUs 120 may vary, depending on the type of PON 100, in a modality , ONUs 120 may comprise an optical transmitter configured to send optical signals to the OLT 110 and an optical receiver configured to receive optical signals from the OLT 110. Additionally, ONUs 120 may comprise a converter that converts the optical signal to electrical signals for the client, such as signals on the Ethernet protocol, and a second transmitter and/or receiver that can send and/or receive the electrical signals on a client device. In some embodiments, ONUs 120 and optical network terminals (ONTs) are similar, and thus the terms are used interchangeably here. Typically, ONUs can be located in distributed locations, such as customer premises, but they can be located in other locations as well. [00015] In one embodiment, the ODN 130 can be a data distribution system, which can comprise fiber optic cables, couplers, splitters, distributors, and/or other equipment. In one embodiment, fiber optic cables, couplers, splitters, distributors, and/or other equipment can be passive optical components. Specifically, fiber optic cables, couplers, splitters, distributors, and/or other equipment may be components that do not require power to distribute data signals between the OLT 110 and the ONUs 120. Alternatively, the ODN 130 may comprise one or a plurality of processing equipment, such as optical amplifiers. ODN 130 may typically extend from OLT 110 to ONUs 120 in a branch configuration as shown in FIG. 1, but can alternatively be configured in any other point-to-multipoint configuration. [00016] In one embodiment, the ONUs 120 and/or the OLT 110 can communicate using an OMCI, for example for exchange control information in the PON 100. As such, the OLT can establish an OMCI channel to control some of the UN activities and/or operations 120. OMCI can be used to manage one or more layers of service definition. Specifically, the OMCI can model the data flow between the OLT 110 and the ONUs 120 using a protocol-independent management information base (MIB) comprising a plurality of MEs. Such a configuration is described in the OMCI for GPON, ITU-T G.984.4 and its amendments, which are hereby incorporated by reference as if reproduced in their entirety. In OMCI, client packets can be mapped to GPON Encapsulation Method (GEM) ports using Virtual Local Area Network (VLAN) Management filtering, as described in IEEE 802.1p which is incorporated herein by reference as if reproduced in its entirety. [00017] OMCI at the UN can be implemented using software, hardware, or both, where new MEs can be added to support additional or new capabilities, for example capabilities that satisfy different customer needs. Each ME in OMCI may comprise a data architecture that represents a feature and/or service supported by OMCI. For example, the ME may describe the purpose of the ME, the relationship between the ME and other MEs, the attribute(s) of the ME, or combinations of these. The ME may comprise a plurality of attributes, properties, attribute properties, or combinations thereof. OMCI can be described in ITU-T Recommendation G.983.2, entitled "UN Management and Control Interface Specification for B-PON," ITU-T Recommendation G.984.4, entitled "Gigabit-Capable Passive Optical Networks (G-PON ): UN Management and Control Interface Specification," or recommendation of ITU-T G.988, entitled "UN management and control interface (OMCI) specification", all of which are hereby incorporated by reference as if reproduced in their entirety. [00018] In one embodiment, the OMCI may comprise an Intensified Security Control ME that enhances security in PON systems. The Enhanced Security Control ME may provide additional security features and/or functions which may comprise a security capability discovery function, a UN authentication function, an OLT authentication function, and a key privacy function . The OMCI ME may comprise a plurality of attributes, for example tables and/or parameters that support security functions such as those described together with FIG. 2 below. The security functions and attributes can be used to provide security features for transmissions upstream of the ONUs and optionally add security for transmissions downstream of the OLT. [00019] The security capability discovery function may allow either the OLT or the UN to discover the existence and/or availability of one or more security capabilities of the other component. The security capability discovery function may also allow the network component to discover one or more security algorithms that support a security capability of the other component. Additionally, the security capability function can allow the component to select which of the security algorithms to activate. In one embodiment, the OLT can use the security capability discovery function to inform the ONU, through the OMCI channel, of the security capabilities and/or algorithms that can be provided by the OLT. Security capabilities and/or algorithms may be provided to the UN in one or more UN readable and/or writable attributes, for example, in the UN enhanced security control ME. The OLT can also use the security capability discovery function to receive from the ONU, through the OMCI channel, the security capabilities and/or algorithms supported by the ONU. Security capabilities and/or algorithms may be located in one or more readable attributes, for example in the UN enhanced security control ME, and may indicate the existence of a security capability and/or define the UN level of support for a particular capability and/or algorithm. [00020] Additionally, the security capability discovery function can allow the OLT to specify one or more security algorithms that can be used to provide the ONU authentication function, the OLT authentication function, the privacy function of the key, or combinations thereof. In some embodiments, one or more of these security function capabilities/algorithms may be specified by an administrator instead of the OLT or the UN. Security capabilities/algorithms can be specified as part of the security capability discovery function, for example before starting the UN authentication function, the OLT authentication function, and/or the key privacy function. Alternatively, capabilities/algorithms can be specified as part of establishing the different security functions. [00021] The ONU authentication function can allow the OLT to verify that the ONU is an authorized user and/or satisfies one or more security qualification criteria. In one modality, the OLT can exchange information for authentication of the ONU with the ONU through the OMCI channel. For example, the ONU authentication procedure can comprise a challenge-response authentication procedure that can be established between the OLT and the ONU using the OMCI channel. The challenge-response authentication procedure may be similar to the authentication procedure described in Federal Information Processing Standards (FIPS) publication No. 180-3, entitled "Specifications for the Secure Hash Standard", which is incorporated herein by reference as if reproduced in its entirety. During a challenge-response authentication procedure, the OLT can send a challenge in the form of a nonce, for example a randomly generated number, to the ONU through the OMCI channel. Subsequently, the ONU can send a response comprising a combination of nonce hash values and a mutually shared secret to the OLT through the OMCI channel. For example, the OLT can write the nonce into the UN OMCI ME, and then read the combination into hash values from the OMCI ME. The OLT can authenticate the ONU by verifying that the combination in hash values is substantially equal to a ONU authentication value that can be calculated by the OLT regardless of the combination in hash values. In some embodiments, the OLT may send a UN authentication confirmation message to the ONU, through the OMCI channel, after determining that the combination in hash values is substantially equal to the UN authentication value. The UN authentication confirmation message may indicate that the ONU has been authenticated by the OLT. [00022] The authentication function of the OLT may allow the ONU to verify that the OLT is a legitimate OLT, for example assigned to the ONU and/or satisfies one or more security qualification criteria. In one modality, the ONU can exchange information necessary for OLT authentication with the OLT, through the OMCI channel. For example, OLT authentication can comprise a challenge-response authentication procedure that can be established between the OLT and the ONU using the OMCI channel. During a challenge-response authentication procedure, the ONU can send a challenge in the form of a nonce, to the OLT through the OMCI channel. In response, the OLT can send a message that contains a combination of nonce hash values and a mutually shared secret to the UN through the OMCI channel. For example, the OLT can read a nonce from the OMCI ME in the UN, and then write the combination to hash values in the OMCI ME. The ONU can compare the combination in hash values with an OLT authentication value that is calculated by the ONU to authenticate the OLT. In some embodiments, the ONU can send an authentication confirmation message from the OLT to the OLT through the OMCI channel after confirming that the combination in hash values is substantially equal to the authentication value of the OLT. The combination in hash values and the authentication value of the OLT can be independently calculated by the OLT and the ONU, respectively. Also, the nonce and the combination in hash values used in the OLT authentication procedure can be different than the nonce and the combination in hash values used in the UN authentication procedure. [00023] The key privacy function may allow the OLT and the ONU to exchange, through the OMCI channel, encryption keys and/or other parameter or security information to establish an encryption protocol for upstream transmissions and/or downstream. For example, the key privacy function can allow the OLT to send key information to the ONU through the OMCI channel. The key privacy function may also allow the ONU to send key information to the OLT via the OMCI channel. Key information can comprise any information that is used to establish an encryption protocol. Key information can be associated with a public key protocol that uses an asymmetric key algorithm. Some common techniques that can be used in public-key cryptography can be described in the IEEE 1363 standard entitled "Standard Specifications For Public-Key Cryptography", which is incorporated herein by reference as if reproduced in its entirety. Public-key encryption can comprise a method for encrypting data using a public key and decrypting data using a private key, where the public key can be distributed widely and the private key can be kept secret. In such cases, the private key may not be mathematically derived from the public key, and as such an attacker who does not have possession of the public key may be prevented from decoding an encrypted message. For example, the key privacy function can allow the OLT to write a public key for the OMCI at the UN. The ONU can then encrypt an Advanced Encryption Standard (AES) key with the public key, and send the encrypted key over the PLOAM channel. Subsequently, the OLT can obtain the encrypted key and obtain the AES key from the encrypted key. [00024] In different modalities, security capability discovery function, ONU authentication function, OLT authentication function, and key privacy function can be consolidated into a simple authentication function or executed simultaneously. In some modalities, the OLT can exchange with the ONU, through the OMCI channel, cryptographic capabilities, authentication information, and/or key information that belongs to the OLT and/or the ONU, for example by reading and/or writing a plurality of attributes in the Enhanced Security Control ME. Attributes can be exchanged in an authentication message exchange sequence as described in detail below. [00025] FIG. 2 illustrates an embodiment of a ONU 200 that may comprise an enhanced security control ME 210. The enhanced security control ME 210 may comprise a plurality of attributes of the ME 220 (e.g. A1-AN). These attributes of ME 220 may represent data structures, for example tables, parameters, and/or system variables which may comprise data describing characteristics other than the ONU and/or in an authentication message exchange sequence. Attributes of ME 220 may comprise an ME ID attribute, an attribute of OLT encryption capabilities, an attribute of OLT random challenge table, an attribute of OLT challenge states, an attribute of selected encryption capabilities of ONU, a ONU random challenge table attribute, a ONU authentication result table attribute, an OLT authentication result table attribute, an OLT result state attribute, a state attribute of UN authentication, a primary session key name attribute, a broadcast key table attribute, an effective key length attribute, or combinations thereof. These attributes can be used to support or provide security features and/or functions, such as the security capability discovery function, the UN authentication function, the OLT authentication function, the key privacy function, or combinations thereof. As such, some of the ME 220 attributes can be used separately in different safety functions or together in a combined safety function that consolidates at least some of the safety functions. For example, the ME 220 attributes can be used to implement a three-step authentication process based on the symmetric key. [00026] The ME ID attribute can be used to identify each instance of the Enhanced Security Control ME 210. In one modality, there can be only one instance of the Enhanced Security Control ME 210 associated with the UN where the instance may have an ME ID value of about zero. In other modalities, there may be multiple instances of the Enhanced Security Control ME 210 associated with the UN, where each instance may have a different ME ID value. The ME ID attribute can be readable and about two bytes in length. [00027] The OLT Encryption Capabilities attribute can specify one or more of the cryptographic mechanisms available or supported by the OLT. In one embodiment, the OLT encryption capabilities attribute can be formatted as a bitmap where each of the bits in the bitmap can correspond to an algorithm, for example as shown in Table 1. Consequently, one bit can be set. to about one to indicate that a matching cryptographic authentication algorithm is either supported by the OLT, or to about zero to indicate that the corresponding algorithm is not supported by the OLT. The OLT encryption capabilities attribute can be writable and about 16 bytes in length. In some cases, each bit in the OLT encryption capabilities attribute can be set to about zero to indicate that the OLT does not support any algorithms. [00028] Table 1 describes an attribute bitmap modality of the OLT encryption capabilities. Specifically, different bit positions in the bitmap can correspond to different cryptographic algorithms. For example, bit position one (least significant bit (LSB)) might match an AES-CMAC-128 algorithm, bit position two might match an HMAC-SHA-256 algorithm, bit position three might correspond to an algorithm of HMAC-SHA-512, and bit positions four to about 128 can be reserved. TABLE 1 [00029] The OLT random challenge table attribute can specify a random challenge issued by the OLT during an authentication sequence. In one embodiment, the OLT random challenge table attribute can be a table comprising N entries (N is an integer) which can be determined by an administrator. Each entry in the data table may have a fixed length, for example about 17 bytes, where the first byte of each entry may comprise an entry index or entry identifier and the remaining bytes of each entry may comprise the content. The OLT can write the entries to the table and then trigger the ONU to process the table entries, for example using the OLT challenge state attribute. Since the OLT random challenge table attribute can have a variable number of entries (eg N), the length and therefore the complexity of the random challenge can be increased to improve the security of the authentication function, if necessary. . The OLT random challenge table attribute can be readable, writable, and about 17xN bytes in length. [00030] The OLT challenge state attribute can be used to track and report the state of the OLT encryption capabilities attribute and/or the OLT random challenge table attribute. In one embodiment, the OLT challenge state attribute can be a boolean attribute that can be set to a boolean first or true value (eg about one) when the OLT encryption capabilities attribute and/or the table attribute OLT random challenge value is full or to a boolean second or false value (eg about zero) when the OLT encryption capabilities attribute and/or the OLT random challenge table attribute is not full. For example, the OLT can set the OLT challenge state attribute to false value (eg about zero) before or while writing the OLT cryptographic capabilities attribute and/or the OLT random challenge table attribute. Subsequently, the OLT can set the OLT challenge state attribute to a true value (eg about one) by completing the process of writing the OLT encryption capabilities attribute and/or the random challenge table attribute of the OLT. The OLT can set the OLT challenge state attribute to false value, write a plurality of entries in the OLT encryption capabilities attribute and/or the OLT random challenge table attribute, set the OLT state attribute. challenge the OLT to true value, and thereby enable the ONU to process the contents of the OLT encryption capabilities attribute and/or the OLT random challenge table attribute. The OLT challenge state attribute can be readable, writable, and about one byte in length. [00031] The OLT selected cryptographic capabilities attribute can specify a cryptographic capability that is selected by the ONU, for example in an authentication string. The OLT Selected Encryption Capabilities attribute can be set to a value that indicates an algorithm supported by the OLT, for example in the OLT Encryption Capabilities attribute. The value can specify one of the bit positions that has been adjusted to about one in the OLT encryption capabilities attribute. [00032] The ONU random challenge table attribute can specify a random challenge issued by the ONU during the authentication sequence. In one embodiment, the ONU random challenge table attribute can be a table comprising P entries (P is an integer) that can be adjusted by an administrator. Each entry in the data table may have a fixed length, for example about 16 bytes where the first byte of each entry may comprise an entry index or entry identifier and the remaining bytes of each entry may comprise the content. The ONU can write the ONU random challenge table attribute in response to the OLT by generating the OLT challenge state attribute. After generating the UN random challenge table attribute, the ONU can notify the OLT, for example using an attribute value change action (AVC), that the challenge table is established to trigger the OLT to start a sequence of get/get-next to get the table contents. Since the ONU random challenge table attribute can have a variable number of entries, the length and therefore the complexity of the random challenge can be increased to improve the security of the authentication function. The ONU random challenge table attribute can be readable and about 16xP bytes in length. [00033] The ONU authentication result table attribute can specify a ONU authentication challenge result according to the attribute of selected encryption capabilities of the OLT. The ONU authentication result table attribute value can be generated using a ONU selected hash function, such as: SelectedHashFunction (PSK, (ONU_selected_crypto_capabilities | OLTrandomchallengetable | ONUrandomchallengetable | 0X0000 0000 0000 0000)), where "|" denotes concatenation and ONU_selected_crypto_capabilities represents the encryption capabilities selected by the ONU. [00034] In one embodiment, the UN authentication result table attribute may be a data table comprising Q entries (Q is an integer) which can be determined by an administrator. Each entry in the data table can have a fixed length, for example around 16 bytes. The ONU can write the ONU authentication result table attribute in response to the OLT that generates the OLT challenge state attribute. After generating the UN authentication result table attribute, the ONU can notify the OLT, for example using a message or AVC notification that the table is established to trigger the OLT to begin a get/get-next sequence to get the contents of the table. Since the ONU authentication response table attribute can have a variable number of entries, the length and therefore the complexity of the hash combination can be increased to improve the security of the ONU authentication function, if necessary. The UN authentication result table attribute can be readable and about 16xQ bytes in length. [00035] The OLT authentication result table attribute can specify an OLT authentication calculation result. The OLT authentication result table attribute value can be generated using an OLT selected hash function, such as: SelectedHashFunction (PSK, (ONU selected crypto capabilities | OLU_random_challenge_table | OLT_random_cballenge_table | ONU_serial_number)), where ONU_serial_number is the number of UN ME series, which can be specified by a UN serial number attribute. [00036] In one embodiment, the OLT authentication result table attribute may be a data table comprising R entries (R is an integer) that can be set by an administrator. Each entry in the data table may have a fixed length, for example about 17 bytes where the first byte of each entry may comprise an entry index or entry identifier and where the remaining bytes of each entry may comprise the content. The OLT can write the entries to the OLT authentication result table attribute and then trigger the ONU to process the table with the OLT result state attribute. Since the OLT authentication result table can have a variable number of entries, the length and therefore the complexity of the result can be increased to improve the security of the OLT authentication function when needed. The OLT authentication response table can be writable and about 17xR bytes in length. [00037] The OLT result state attribute can be used to track and/or report the state of the OLT authentication result table attribute. In one embodiment, the OLT result state attribute can be a boolean attribute that can be set to a true value of about one when the UN authentication result table attribute is full or to a false boolean value of about zero when the UN authentication result table attribute is not full. For example, the OLT can set the OLT result status attribute to false (for example about zero) before or while writing to the OLT authentication result table attribute, and subsequently to true (for example about one ) when completing the process of writing the result to the OLT authentication result table attribute. The OLT can set the OLT result state attribute to false to write a plurality of entries to the OLT authentication result table attribute, set the OLT result state attribute to true, and thereby trigger the ONU to process the OLT result table attribute. The OLT result state attribute can be readable, writable, and about one byte in length. [00038] The UN authentication status attribute can indicate the status of the authentication relationship from the UN perspective. The ONU authentication state attribute can have a value of about zero to indicate that the ONU is in an inactive S0 state, for example where the authentication procedure is not active. The ONU authentication state attribute can have a value of about one to indicate that the ONU is in an OLT S1 challenge pending state, for example when the authentication procedure is in progress. The ONU authentication state attribute can have a value of about two to indicate that the ONU is in a ONU S2 challenge pending state. The ONU authentication state attribute can have a value of about three to indicate that the ONU is in an S3 authentication success state, for example when the authentication procedure is completed and the ONU authenticates the OLT. The ONU authentication state attribute can have a value of about four to indicate that the ONU is in an S4 authentication failure state, for example when the authentication procedure is completed and the ONU has not authenticated the OLT. Alternatively, the ONU authentication state attribute can have a value of about five to indicate that the ONU is in an S5 authentication error state, for example when the authentication procedure started but could not be completed. When the ONU authentication attribute has a value of about three, for example in the S2 authentication success state, a plurality of encryption keys can be exchanged in a Transmission Recipient (TC) layer, for example using one key a master session as described in G.984 or a master encryption key as described in G.987, both of which are hereby incorporated as if reproduced in their entirety. The OLT can check the UN authentication state attribute value before initiating a key switch. Additionally, the OLT can be alerted of a change in the state of the ONU authentication state attribute, for example a change from S1 state to S2 state, receiving an AVC message or ONU notification through the OMCI channel. The UN authentication state attribute can be readable and 1 byte in length. [00039] The main session key name attribute can comprise the name of the current session key, for example after a successful authentication. A master session key can be defined by a ONU selected hash function, such as: SelectedHashFunction (PSK, (OLTrandomchallenge | ONU random challenge)). [00040] The primary session key name attribute can be set to: SelectedHashFunction(PSK, (ONU_random_challenge | OLTrandomchallenge | Ox 3141 5926 5358 9793 3141 5926 5358 9793)), ~ where the number 0x 3141 5926 5358 9793 3141 5926 5358 9793 is an example of a UN serial number. If the selected hash function generates more than about 128 bits, the result can be truncated further to the left, for example to more significant, about 128 bits. Upon termination of a master session key, for example due to a ONU reset or ONU local decision that the master key has expired, the ONU can set the master session key name attribute to a string of about zero. The primary session key name attribute can be readable and about 16 bytes in length. [00041] The broadcast key table attribute can comprise a broadcast key generated by the OLT. The broadcast key table attribute may comprise a table comprising one or more rows. Each row may comprise a row control portion, a row identifier portion, and a key fragment portion. The row control can comprise about one byte, the row identifier can also comprise about one byte, and the key fragment can comprise about 16 bytes. As such, the broadcast key table attribute can be readable and writable, optional, and about 18*N bytes in length. [00042] Row control can describe the action to be taken on a specified row, for example the row specified by the row identifier. Approximately two LSBs in the row control can determine the attribute's behavior under an adjust action, for example as shown in Table 2. In Table 2, the two LSBs can be adjusted to about 00 to adjust the specified row, to about 01 to clear the specified row, to about 10 to clear the entire table, or to about 11 to indicate a reserved entry. Also, about four most significant bits (MSBs) in the row control can specify the length of the corresponding key fragment. The remaining two bits in the row control can be reserved. The two LSBs of the row control can be read as about zero under the get-next action and can behave in a manner consistent with Table 2 under the tweak action. TABLE 2 [00043] Row identifier can identify the specified row. About two MSBs in the row identifier can represent the key index that can appear in the header of an encrypted multicast GPON Encapsulation Method (GEM) structure. A key index of about zero may indicate clean text, and thus may not appear in the row identifier. Approximately four LSBs in the row identifier can identify the key fragment number and can start from about zero. About two remaining bits in the row identifier can be reserved. The key fragment may comprise a specified key portion, for example specified by the ONU. For example the key portion can be encrypted with the AES electronic codebook (ECB) using the key encryption key (KEK). [00044] The effective key length attribute can specify a maximum effective length (eg in bits) of the ONU generated keys. The key's effective length attribute can be readable, optional, and about two bytes in length. [00045] Additionally or alternatively, the ME 220 attributes may comprise an authentication capability attribute, a ONU authentication selection attribute, a ONU authentication nonce table attribute, an authentication nonce state attribute of the ONU, an attribute of the ONU authentication response table, or combinations thereof. The ME 220 attributes may also comprise an OLT authentication selection attribute, an OLT authentication nonce table attribute, an OLT authentication response table attribute, an OLT authentication response state attribute, an attribute an OLT public key capability, an OLT public key selection attribute, an OLT public key table attribute, an OLT public key table attribute, or combinations thereof. [00046] The authentication capability attribute can specify the authentication mechanisms available in the ONU and/or the authentication algorithms supported by the ONU. In one embodiment, the authentication capability attribute can be formatted as a bitmap where some or all of the bits in the bitmap can correspond to an authentication algorithm, for example according to Table 3. Consequently, a bit can be set to about one to indicate that a matching authentication algorithm is supported by the ONU, or to about zero to indicate that the matching authentication algorithm is not supported by the ONU. The authentication capability attribute can be readable and about 16 bytes in length. In some cases, each bit in the authentication capability attribute can be set to around zero to indicate that no authentication algorithm is supported by the ONU. TABLE 3 [00047] The UN authentication selection attribute can specify an authentication algorithm to be used during the UN authentication function. For example, the UN authentication selection attribute can be set to a value that indicates an authentication algorithm supported by the ONU. The value can indicate an authentication algorithm that can be listed in the authentication capability attribute. The UN authentication selection attribute can be used to instruct the ONU to use the corresponding authentication algorithm to generate a hash combination, for example during the implementation of the ONU authentication function. The UN authentication selection attribute can be readable, writable, and about one byte in length. The UN authentication selection attribute can also be set to about zero to indicate that no authentication algorithm is used in the UN authentication function. [00048] The ONU authentication nonce table attribute can specify a nonce that is used for the ONU authentication function. The nonce can be a random or pseudo-random number generated for the purpose of enhancing the security of the UN authentication function. In one embodiment, the ONU authentication nonce table may be a data table comprising N entries (N is an integer) which can be determined by an administrator. Each entry in the data table may have a fixed length, for example about 25 bytes where the first byte of each entry may comprise an entry index or entry identifier and the remaining bytes of each entry may comprise the content. Since the ONU authentication nonce table can have a variable number of entries (eg N), the length and therefore the complexity of the nonce can be increased to improve the security of the ONU authentication function, if necessary. . The ONU authentication nonce table can be readable and about 25xN bytes in length. [00049] The UN authentication nonce state attribute can be used to track and report the status of the UN authentication nonce table attribute during the UN authentication function. In one embodiment, the ONU authentication nonce state attribute can be set to a boolean first or true value (eg about one) when the ONU auth table is full or to a boolean second or false value (by example about zero) when the UN authentication table is incomplete. For example, the OLT can set the UN authentication nonce state to the false value of about zero by starting the process of writing the nonce to the ONU authentication nonce table attribute, and subsequently to a true value of about one when completing the process of writing the nonce to the UN authentication nonce table attribute. In one embodiment, the OLT can set the ONU nonce state attribute to false value, write a plurality of entries in the ONU nonce authentication table attribute, set the ONU nonce state attribute to the true value, and thereby trigger the ONU to process the UN authentication nonce table attribute. The UN authentication nonce state attribute can be readable, writable, and about one byte in length. [00050] The UN authentication response table attribute can specify a response, for example the hash combination that can be used in the ONU authentication function. The UN authentication response table attribute can comprise a hash combination that is calculated by the ONU. The hash combination can be calculated by processing the nonce, for example the contents of the UN authentication nonce table attribute, using an authentication algorithm that is specified by the UN authentication selection attribute. The OLT can get the hash combination by reading the UN authentication response table attribute. The OLT can then authenticate the ONU by confirming that the hash combination is substantially equal to the ONU's authentication value. In one embodiment, the ONU authentication response table attribute may be a data table comprising M entries (M is an integer) which may be determined by an administrator. Each entry in the data table may have a fixed length, for example about 25 bytes where the first byte of each entry may comprise an entry index or entry identifier and the remaining bytes of each entry may comprise the content. Since the ONU authentication response table attribute can have a variable number of entries, the length and therefore the complexity of the hash combination can be increased to improve the security of the ONU authentication function, if necessary. The UN authentication response table attribute can be readable and about 25xM bytes in length. [00051] The OLT authentication selection attribute can specify an authentication mechanism to be used during the OLT authentication function. In one embodiment, the OLT authentication selection attribute can be set to a value that indicates an authentication algorithm supported by the ONU. The value can match an authentication algorithm listed in the authentication capability attribute. The OLT authentication selection attribute can instruct the ONU to use a specified authentication algorithm to generate a hash combination during the OLT authentication function. The OLT authentication selection attribute can be readable, writable, and about one byte in length. The OLT authentication selection attribute can also be set to about zero to indicate that no authentication algorithm is used during the OLT authentication function. [00052] The OLT authentication nonce table attribute can specify a nonce to be used in the OLT authentication function. The nonce can be generated to improve the security of the OLT authentication function. In one embodiment, the OLT authentication nonce table can be a data table comprising P entries (P is an integer) that can be set by an administrator. Each entry in the data table may have a fixed length, for example about 25 bytes where the first byte of each entry may comprise an entry index or entry identifier and the remaining bytes of each entry may comprise the content. Since the OLT authentication nonce table attribute can have a variable number of entries, the length and therefore the complexity of the nonce can be increased to improve the security of the OLT authentication function. The UN authentication nonce table attribute can be readable and about 25xP bytes in length. [00053] The OLT authentication response table attribute can specify the response, for example the hash combination, to be used in the OLT authentication function. The OLT authentication response table attribute can comprise the hash combination that can be calculated by the OLT. The OLT can calculate the hash combination by processing the nonce in the OLT authentication nonce table attribute using the authentication algorithm specified in the OLT authentication selection attribute. As such, the ONU can read the OLT authentication response table attribute to get the hash match value. The ONU can then authenticate the OLT by confirming that the hash combination value is substantially similar to an OLT authentication value. In one embodiment, the OLT authentication response table can be a data table comprising Q entries (Q is an integer) that can be set by an administrator. Each entry in the data table may have a fixed length, for example about 25 bytes where the first byte of each entry may comprise an entry index or entry identifier and where the remaining bytes of each entry may comprise the content. Since the ONU authentication response table can have a variable number of entries, the length, and therefore the complexity, of the hash combination can be increased to improve the security of the OLT authentication function when needed. The OLT authentication response table can be readable and about 25xQ bytes in length. [00054] The OLT authentication response state attribute can be used to track and/or report the state of the OLT authentication response table attribute during the OLT authentication function. In one embodiment, the OLT authentication response state attribute can be set to a true boolean value of about one when the ONU authentication table is full or to a false boolean value of about zero when the authentication table of the UN is incomplete. For example, the OLT can set the OLT authentication response status to false, for example around zero, by starting the process of writing the nonce to the OLT authentication response table attribute, and subsequently to true, by example about one, while completing the process of writing the nonce for the OLT authentication response table attribute. In one embodiment, the OLT may set the OLT's authentication response status attribute to false, for example about zero, to write a plurality of entries to the OLT's authentication response table attribute, set the status attribute setting the OLT authentication response to true (eg about one), and thereby triggering the ONU to process the OLT authentication response table attribute accordingly. The OLT authentication response state attribute can be readable, writable, and about one byte in length. [00055] The public key capability attribute of the OLT can specify the public key mechanisms available in ONU 200. In one embodiment, the public key capability attribute of the OLT can be formatted as a bitmap where some or all of the bits in the bitmap may correspond to a specific public key algorithm, for example according to Table 4. For example, a bit set to about one may indicate that the corresponding public key algorithm is supported by the ONU and a bit set to about zero might indicate that the corresponding public key algorithm is not supported by ONU 200. The OLT's public key capability attribute can be readable and about 16 bytes in length. In some embodiments, each bit in the OLT's public key capability attribute can be set to about zero to indicate that no public key algorithm is supported by the OLT 200. TABLE 3 [00056] The OLT public key selection attribute can specify the public key mechanism to use during the key privacy function. In one embodiment, the public key selection attribute of the OLT may be set to a value that indicates an authentication algorithm supported by the ONU 200, for example as specified by the public key capability attribute of the OLT. In one embodiment, the OLT's public key selection attribute can be used to instruct the ONU to use the specified public key algorithm to encrypt the AES key during the key's privacy function. The OLT public key selection attribute can be readable, writable, and about a byte in length. In some embodiments, the OLT's public key selection attribute can be set to about zero to indicate that no public key algorithm is used. [00057] The OLT public key table attribute can specify the public key to be used during the key privacy function. In one embodiment, the OLT can write the public key to the OLT's public key table attribute. The OLT public key table attribute can be a table comprising R entries (R is an integer) that can be by an administrator. Each entry in the table may have a fixed length, for example about 25 bytes where the first byte of each entry may comprise an entry index or entry identifier and where the remaining bytes of each entry may comprise the content. Since the OLT public key table attribute can have a variable number of entries, the length and therefore the complexity of the public key can be increased to improve the security of the key privacy function when needed. The OLT public key table attribute can be readable, writable, and about 25xR bytes in length. [00058] The OLT public key state attribute can be used to control and/or report the state of the OLT public key table attribute during the key privacy function. In one embodiment, the OLT's public key state attribute can be set to a true Boolean value, for example about one, when the public key table is full, or to a false Boolean value, for example about zero, when the public key table is incomplete. For example, the OLT can set the OLT's public key state to false, for example about zero, by starting the process of writing the public key to the OLT's public key table attribute, and subsequently setting the key state. OLT's public key to true, for example about one, when completing the process of writing the public key for the OLT public key table attribute. In one embodiment, the OLT can set the OLT's public key state attribute to false, for example about zero, write a plurality of entries to the OLT's public key table attribute, set the public key state attribute from the OLT to true, for example about one, and thus trigger the ONU to process the OLT public key table attribute accordingly. The OLT authentication response state attribute can be readable, writable, and about one byte in length. [00059] The OLT can use various actions, for example instruction types, when communicating with the ONU through the OMCI channel, such as a get action, a get-next action, and a tune action . The get action can allow the OLT to read one or more attributes of the OMCI ME from the UN, the get-next action might allow the OLT to read a string or collection of attributes from the OMCI ME, and the action of setting can allow the ONU to write one or more OMCI ME attributes. [00060] The OLT may also receive one or more notifications from OMCI during security functions. OMCI notifications can be received in the form of AVC messages that can be communicated through the OMCI channel. Each AVC message can have a numeric value which can correspond to a different message type for example as shown in Table 5A or 5B. For example, as shown in Table 3, a HCV message associated with the UN random challenge table attribute can be assigned a value of about five. An AVC message associated with the UN authentication result table attribute can be assigned a value of about six. An AVC message associated with the ONU authentication status attribute can be assigned a value of about 10. The remaining values, for example, from about one to about four, from about seven to about nine, and from about eleven to about sixteen can be booked. TABLE 5A TABLE 5B [00061] In one embodiment, the Enhanced Security Control ME may comprise a plurality of facilities to perform a conventional three-step hash-based authentication sequence, for example as described in the International Standards Organization (ISO) publication /International Electrotechnical Commission (IEC) 9798-4 entitled, "Information technology - Security Techniques - Entity Authentication - Part 4: Mechanisms using a cryptographic check function", which is incorporated herein by reference as if reproduced in its entirety. The conventional three-step authentication sequence can be used on DSL systems that employ an MS-CHAPv2 protocol, or other systems that can use get and set messages. The logical structure of the conventional three-step sequence can comprise messages, for example message 1, message 2, and message 2, such as: where MsgHash() is a keyed message hash function, PSK is the pre-shared key known only to session peers, Peer_1_identity is set to about 0x0000 0000 0000 0000, and Peer_2_identity is the UN serial number. [00062] A precondition for using the three-step hash-based authentication sequence might be the availability of a pre-shared secret (PSK). A PSK of about 128 bits can simplify the application of security algorithms based on an AES-128 (eg AES-CMAC-128). A PSK can be associated with a ONU and stored in that ONU and in the operator's infrastructure. On the operator side, the PSK for the ONU can be stored in the OLT that is coupled to the ONU or in a central server that the OLT can access during authentication. The configuration of the PSK in the ONU and in the operator infrastructure can be performed in any way that satisfies these requirements. [00063] FIG. 3 illustrates one embodiment of an authentication message exchange sequence 300 that can be established between the OLT and the ONU on the OMCI channel. The authentication message exchange sequence 300 can provide enhanced security in PON systems, for example for upstream transmissions. The authentication message exchange sequence 300 can comprise various actions that can be implemented by the OLT to communicate with the ONU through the OMCI channel and access the enhanced security control ME. For example, the OLT can write in various attributes of the enhanced security control ME (for example ME attributes 220) using the adjust action. The OLT can perform multiple tweaked operations as needed to write multiple entries for one or more attributes using the tweak action. The OLT can read from various attributes of the Enhanced Security Control ME using the get function which can trigger a get response message which gets the contents or part of the contents of one or more attributes of the Enhanced Security Control ME. Additionally, the OLT may receive one or more OMCI notifications in the form of AVC messages. [00064] The authentication message exchange sequence 300 can start at step 302, where the OLT can write the OLT encryption capabilities attribute and/or the OLT random challenge table attribute using a tweak action. In step 304, the OLT can write a true value, for example about one, to the OLT challenge state attribute using a tweak action to indicate to the ONU that the OLT and/or encryption capabilities attribute. the OLT random challenge table attribute have been established. In step 306, the OLT may receive from the ONU an AVC message that notifies the OLT that the ONU random challenge table attribute is established. In step 308, the OLT may receive an AVC message from the ONU that notifies the OLT that the ONU authentication result table attribute is set. [00065] In step 310, the OLT may require the UN selected cryptographic capabilities attribute, the ONU random challenge table attribute, the ONU authentication result table attribute, or a combination thereof from the ONU using an action of getting. In step 312, the ONU can respond to the OLT by sending the required information using a get response action. In step 314, the OLT can write to the OLT authentication result table attribute using a tweak action. In step 316, the OLT can write a true value to the OLT result state attribute using a snap action. In step 318, the OLT may receive from the ONU an AVC message that notifies the OLT that the authentication status attribute of the ONU is established. In step 320, the OLT can request the key name attribute of the UN main session using a get action. In step 322, the ONU can respond to the OLT by sending the required information using a get response action. The authentication message exchange can then terminate. [00066] FIG. 4 illustrate a modality of a plurality of UN 400 States. UN 400 states can be specified by a state machine that can operate state 05 as defined in ITU-T G.784.3 and G987.3, which are incorporated herein by reference as if reproduced in its entirety. Initially in block 410, the ONU may be in an inactive state (S0), for example after the registration of the UN. The S0 state can be indicated by a ONU authentication state attribute using a value of about zero. The OLT can then initiate an authentication process by writing a challenge to the OLT random challenge table attribute in the OMCI ME at the UN. [00067] At block 420, the OLT may enter a challenge pending state (S1), for example after the OLT writes its challenge to the OLT's random challenge table attribute. The OLT challenge pending state (S1) can be indicated by a ONU authentication state attribute using a value of about one. During the S1 state, the ONU can select the ONU random challenge attribute, and/or calculate the UN authentication result table attribute, and the OLT may not write a new value in the OLT random challenge table attribute . The ONU can then transition to a ONU challenge pending state (S2) after selecting the ONU random challenge attribute and/or calculating the attribute from the ONU authentication result table. If the ONU cannot perform the necessary operations to transition to the S2 state, then the ONU can transition to an authentication error state (S5) instead of the S2 state. [00068] In block 430, ONU can enter S2 state, for example after selecting the ONU random challenge attribute and/or calculating the attribute from the ONU authentication result table. The S2 state can be indicated by a ONU authentication state attribute using a value of about two. During the S2 state, the ONU can wait for the OLT to read the relevant tables/attributes, for example the UN selected encryption capabilities attribute, the ONU random challenge table attribute, the authentication result table attribute of the ONU, or combinations thereof, and writing the UN authentication challenge result to the OLT authentication result table attribute. OLT response may be time limited. For example, the OLT may need to respond to the UN authentication challenge before a time period (T1) expires. For example, T1 can be set to expire in about three seconds. If the OLT does not respond during state S2 before T1 expires, the ONU can transition to state S5. If the OLT responds before T1 expires, for example by writing the UN authentication challenge result in the UN authentication result table attribute, then the ONU can transition to an authentication success state (S3) or a state of authentication failure (S4), depending on whether or not the OLT was successfully authenticated by the ONU. If the result is substantially equal to an OLT authentication value, then the OLT may have been successfully authenticated by the ONU and the ONU transitions to the S3 state. If the result is not the same as the OLT authentication value, then the OLT may not have successfully authenticated and the ONU may transition to the S4 state. While the ONU is in the S2 state, the OLT may not write a new value to the OLT random challenge table attribute. [00069] Before entering the S3 state at block 440, the ONU may set a valid value by the primary session key name attribute. In the S3 state, the OLT can read the primary session key name attribute when receiving a ONU AVC message that indicates to the OLT that the ONU authentication state attribute value has changed to S3 state value, for example using a value of about three. Waiting for the AVC notification before reading the key name attribute for the master session can allow the OLT to ensure that the ONU is synchronized and the new key is ready to be used within the TC layer PLOAM function. [00070] Authentication failure state S4 in block 450 can be indicated by a ONU authentication state attribute using a value of about four. During state S4, the ONU and/or OLT can abandon the present authentication attempt. The S4 authentication failure state could mean that the authentication procedure failed for some reason, for example because of a PSK inequality. The ONU can transition from state S4 to state S0 after a predetermined period of time (T2) has elapsed, for example after about one second. [00071] The S5 state can be indicated by the UN authentication state attribute using a value of about five. During state S5 (Block 460), the ONU and/or OLT can abandon the present authentication attempt. The S5 status could mean that the authentication procedure was started but not completed, for example due to a communication error, such as a lost connection. The ONU can transition from state S5 to state S0 after a predetermined period of time (T3) has elapsed, for example after about one second. [00072] In one modality, the OLT can be configured to synchronize with a TC layer, for example in PLOAM, and achieve other security considerations, for example as in G.984 systems. When the ONU is in an authenticated state, the ONU can use its master session key to encrypt the key transmitted in an encryption key PLOAM message. The master session key can be set as: MasterSessionKey = SelectedHashFunction (PSK, (OLT random challenge | ONU random challenge)), where SelectedHashFunction() is the hash function selected by the ONU in the ONU selected encryption capabilities attribute from a list provided by the OLT. [00073] In some cases, encryption key cryptography can be implemented using an AES-128 key in ECB mode. Since the encryption key carried in the encryption key PLOAM message may not be protected from spoofing, there may be a possibility that the key could be spoofed or reproduced by an attacker. Both spoofed or spoofed keys can be detected using key synchronization mechanisms. However, a replay attack could force the OLT to use an old encryption key that could violate the security requirements of downstream data encryption. Therefore, an OLT designed to resist a replay attack can ensure that the ONU does not send a previously used encryption key between authentication cycles. [00074] The network components described above can be implemented in any general purpose network component, such as a computer or network component with sufficient processing power, memory resources, and network processing capacity to handle the load of required work placed on it. FIG. 5 illustrates a typical general purpose network component 500 suitable for implementing one or more embodiments of the components disclosed herein. Network component 500 includes a processor 502 (which may be referred to as a central processor unit or CPU) that is in communication with the memory devices including secondary storage 504, read only memory (ROM) 506, random access memory (RAM) 508, input/output (I/O) devices 510, and network connectivity devices 512. Processor 502 can be implemented as one or more integrated circuits of the CPU, or it can be part of one or more integrated circuits application-specific ASICs. [00075] Secondary storage 504 is typically comprised of one or more disk drives or tape drives and is used for non-volatile data storage and as an overflow data storage device if RAM 508 is not large enough to retain all operating data. Secondary Storage 504 can be used to store programs that are loaded into RAM 508 when such programs are selected for execution. ROM 506 is used to store instructions and perhaps data that are read during program execution. ROM 506 is a non-volatile memory device that typically has a small memory capacity relative to the larger memory capacity of secondary storage 504. RAM 508 is used to store volatile data and perhaps to store instructions. Accessing ROM 506 and RAM 508 is typically faster than secondary storage 504. [00076] At least one modality is revealed and variations, combinations, and/or modifications of the modality(s) and/or characteristics of the modality(s) made by a person having usual skill in the technique are within the scope of the revelation. Alternative modalities that result from combining, integrating, and/or omitting the features of the modality(s) are also within the scope of the disclosure. Where numerical ranges or limitations are expressly stated, such express ranges or limitations shall be understood to include iterative ranges or limitations of equal magnitude that fall within the expressly stated ranges or limitations (eg, from about 1 to about 10 includes, 2, 3, 4, etc.; greater than 0.10 includes 0.11, 0.12, 0.13, etc.). For example, whenever a numerical range with a lower limit, R1, and an upper limit, Ru, is revealed, any number that falls within the range is specifically revealed. In particular, the following numbers within the range are specifically revealed: R = R1 + k * (Ru - R1), where k is a variable ranging from 1 percent to 100 percent with a 1 percent increment, this is, k is 1 percent, 2 percent, 3 percent, 4 percent, 5 percent,..., 50 percent, 51 percent, 52 percent,..., 95 percent, 96 percent percent, 97 percent, 98 percent, 99 percent, or 100 percent. Furthermore, any numerical range defined by the two R numbers as defined in the above is also specifically disclosed. Use of the term "optionally" with respect to any element of an embodiment means that the element is required, or alternatively, the element is not required, both alternatives being within the scope of the embodiment. Use of broader terms such as comprise, include, and have should be understood to support more limited terms such as consisting of, essentially consisting of, and substantially understood. Consequently, the scope of protection is not limited by the description set out above but is defined by the embodiments that follow, that scope including all equivalents of the subject matter of the embodiments. Each and every embodiment is incorporated as additional disclosure in the specification and the embodiments are modality(s) of the present disclosure. The discussion of a reference in the disclosure is not an admission that it is prior art, especially any reference that has a publication date after the priority date of this patent application. The disclosure of all patents, patent applications, and publications cited in the disclosure is hereby incorporated by reference, to the extent that they provide exemplary, procedural, or other details in addition to the disclosure. [00077] Although various modalities have been provided in the present revelation, it should be understood that the systems and methods revealed could be incorporated into many other specific forms without departing from the spirit or scope of the present revelation. The present examples are to be considered as illustrative and not restrictive, and the intent is not to be limited to the details given here. For example, various elements or components may be combined or integrated into another system, or certain features may be omitted, or not implemented. [00078] In addition, the techniques, systems, subsystems, and methods described and illustrated in the various modalities as distinct or separate can be combined or integrated with other systems, modules, techniques, or methods without departing from the scope of the present disclosure. Other items shown or discussed when coupled or directly coupled or communicating with each other may be indirectly coupled or communicating through some interface, device, or intermediate component whether electrically, mechanically or otherwise. Other examples of alterations, substitutions, and alterations are determinable by one skilled in the art and can be made without departing from the spirit and scope revealed here.
权利要求:
Claims (6) [0001] 1. Apparatus to provide improved security in passive optical network system, characterized in that it comprises: an optical line terminal (OLT) (110) configured to: read and/or write, on an optical network unit (ONU) (120, 200), a ONU control interface (OMCI) management entity (ME), wherein the OMCI ME comprises a plurality of attributes (200) that support a plurality of upstream transmission security functions between the ONU (120, 200) and the OLT (110), where the attributes comprise an OLT authentication response table attribute to specify a response to be used in an OLT authentication function, a response state attribute of OLT authentication to track and report the status of the OLT authentication response table attribute; where the false value of the OLT authentication response state attribute indicates that the OLT authentication response table attribute is not complete, and the true value of the OLT authentication response state attribute indicates that the OLT authentication response table attribute is full; and wherein the attributes (220) are communicated through an OMCI channel between the ONU (120, 200) and the OLT (110) and provides the security functions to the ONU (120, 200) and to the OLT (110 ). [0002] 2. Apparatus according to claim 1, characterized in that the security functions comprise a security capability discovery function, a ONU authentication function, an OLT authentication function, and a privacy function of the key. [0003] 3. Apparatus according to claim 1, characterized in that the attributes (220) comprise a two-byte ME identifier (ID) attribute that identifies an instance of the ME. [0004] 4. Apparatus to provide enhanced security in passive optical network system, characterized in that it comprises: an optical network unit (ONU) (120, 200) configured to couple to an optical line terminal (OLT) (110) and comprising a ONU control interface (OMCI) management entity (ME), wherein the OMCI ME comprises a plurality of attributes (220) that support a plurality of upstream transmission security functions between the ONU (120 , 200) and OLT (110), where the attributes comprise an OLT authentication response table attribute to specify a response to be used in an OLT authentication function, an OLT authentication response state attribute to track and report the status of the OLT authentication response table attribute; where the false value of the OLT authentication response state attribute indicates that the OLT authentication response table attribute is not complete, and the true value of the OLT authentication response state attribute indicates that the OLT authentication response table attribute is full; and wherein the attributes (220) are communicated through an OMCI channel between the ONU (120, 200) and the OLT (110) and provides the security functions to the ONU (120, 200) and to the OLT (110 ). [0005] 5. Apparatus according to claim 4, characterized in that the attributes (220) comprise a two-byte ME identifier (ID) attribute that identifies an instance of the ME. [0006] 6. Method to provide enhanced security in passive optical network system, characterized in that it comprises the steps of: exchanging a plurality of security attributes with an optical network unit (ONU) (120, 200) using an interface channel control system (OMCI), to thereby provide a plurality of security functions for upstream communications from the ONU (120, 200), wherein the attributes comprise an optical line terminal authentication response table attribute (OLT) to specify a response to be used in an OLT authentication function, an OLT authentication response status attribute to track and report the status of the OLT authentication response table attribute; where the false value of the OLT authentication response state attribute indicates that the OLT authentication response table attribute is not complete, and the true value of the OLT authentication response state attribute indicates that the OLT authentication response table is complete; where attributes are exchanged without modifying a physical layer operation, administration, and management (PLOAM) channel between the OLT (110) and the ONU (120, 200).
类似技术:
公开号 | 公开日 | 专利标题 BR112012008062B1|2021-04-20|apparatus and method to provide improved security in passive optical network system Yang et al.2008|Two-factor mutual authentication based on smart cards and passwords US9838363B2|2017-12-05|Authentication and initial key exchange in ethernet passive optical network over coaxial network KR100675836B1|2007-01-29|Authentication method for a link protection in EPON KR100715679B1|2007-05-09|System and method for providing authenticated encryption in gpon network EP2351311B1|2015-07-01|Method for increasing security in a passive optical network WO2011131141A1|2011-10-27|Ethod for authentication of a wireless backup system for an optical network unit US8942378B2|2015-01-27|Method and device for encrypting multicast service in passive optical network system WO2011017847A1|2011-02-17|Method and device for exchanging key Hajduczenia et al.2007|On EPON security issues EP2091176A1|2009-08-19|Data communication JP2017135461A|2017-08-03|Subscriber terminating device, station side terminating device, optical signal transmitting device and communication system JP2013175835A|2013-09-05|Optical communication network system, slave station communication device, master station communication device, and control method WO2014101084A1|2014-07-03|Authentication method, device and system
同族专利:
公开号 | 公开日 WO2011012092A1|2011-02-03| US20110029773A1|2011-02-03| US20140052991A1|2014-02-20| KR20120048625A|2012-05-15| US9032209B2|2015-05-12| EP3125465B1|2021-09-01| KR101370272B1|2014-03-25| EP2449718B1|2015-02-25| CN102656838B|2015-06-17| CA2769226C|2015-11-24| AU2010278478B2|2014-02-27| US8850197B2|2014-09-30| PT2882134T|2016-12-06| MX2012001203A|2012-03-26| US20120128155A1|2012-05-24| EP2449718A1|2012-05-09| EP2449718A4|2012-09-05| EP2882134B1|2016-09-21| CA2769226A1|2011-02-03| EP2882134A1|2015-06-10| AU2010278478A1|2012-03-01| BR112012008062A2|2016-03-01| PL2882134T3|2017-04-28| RU2507691C2|2014-02-20| CN102656838A|2012-09-05| RU2012107414A|2013-09-10| PL2449718T3|2015-07-31| JP2013501389A|2013-01-10| ES2536784T3|2015-05-28| ES2606959T3|2017-03-28| US8442229B2|2013-05-14| JP5366108B2|2013-12-11| EP3125465A1|2017-02-01|
引用文献:
公开号 | 申请日 | 公开日 | 申请人 | 专利标题 US7301968B2|2001-03-02|2007-11-27|Pmc-Sierra Israel Ltd.|Communication protocol for passive optical network topologies| NO319065B1|2002-10-11|2005-06-13|Telenor Asa|Open access network architecture| US20060228113A1|2003-12-01|2006-10-12|Siemens Aktiengesellschaft|Passive optical network unit management and control interface support for a digital subscriber line network| KR100547724B1|2003-08-26|2006-01-31|삼성전자주식회사|Passive optical subscriber network based on Gigabit Ethernet that can stably transmit data and data encryption method using same| FI20031429A0|2003-10-02|2003-10-02|Nokia Corp|Secure upstream data transmission in passive optical networks| KR100675836B1|2004-12-10|2007-01-29|한국전자통신연구원|Authentication method for a link protection in EPON| KR100715679B1|2005-12-05|2007-05-09|한국전자통신연구원|System and method for providing authenticated encryption in gpon network| US8086872B2|2005-12-08|2011-12-27|Electronics And Telecommunications Research Institute|Method for setting security channel based on MPCP between OLT and ONUs in EPON, and MPCP message structure for controlling frame transmission| ES2454965T3|2006-01-18|2014-04-14|Huawei Technologies Co., Ltd.|A method to associate the service flow to the service transmission channel, its system and its optical network terminator| CN101064719A|2006-04-27|2007-10-31|华为技术有限公司|Cryptographic algorithm negotiating method in PON system| US20070274720A1|2006-05-25|2007-11-29|Menasco Heyward E Jr|Optical Network Unit Activation| JP4753254B2|2006-08-08|2011-08-24|日本電信電話株式会社|Encryption communication system, and OLT and ONU provided with encryption means| US8121479B2|2006-08-11|2012-02-21|Futurewei Technologies, Inc.|Optical network terminal management and control interface containing a description of the OMCI| CN1968089A|2006-09-29|2007-05-23|华为技术有限公司|Subscriber authentication method for passive optical network| CN101247258B|2007-02-12|2011-02-09|华为技术有限公司|Service distribution method and system| CN101247220B|2008-03-14|2011-03-02|中兴通讯股份有限公司|Method for cryptographic key exchange of passive optical network system| CN101252522B|2008-04-02|2012-07-04|中兴通讯股份有限公司|System and method for medium accessing to control address filtrating collocation| CN101252500B|2008-04-16|2012-08-08|杭州华三通信技术有限公司|Intersect looped network, node and realizing method of random topology intersect looped network| JP5276935B2|2008-09-12|2013-08-28|株式会社日立製作所|Passive optical network system and fault identification method thereof| KR100982017B1|2008-10-02|2010-09-14|한국전자통신연구원|Method for filtering of abnormal ONT with same serial number in a GPON system| WO2010060456A1|2008-11-03|2010-06-03|Telecom Italia S.P.A.|Method for increasing security in a passive optical network| JP5269641B2|2009-02-23|2013-08-21|富士通テレコムネットワークス株式会社|User authentication system and user authentication method| US8850197B2|2009-07-31|2014-09-30|Futurewei Technologies, Inc.|Optical network terminal management control interface-based passive optical network security enhancement|US8751630B2|2008-10-28|2014-06-10|Futurewei Technologies, Inc.|Collecting status from a partner management domain| US8850197B2|2009-07-31|2014-09-30|Futurewei Technologies, Inc.|Optical network terminal management control interface-based passive optical network security enhancement| CN102136907A|2010-01-25|2011-07-27|中兴通讯股份有限公司|Multicast service encryption method and device for passive optical network system| US8422887B2|2010-01-31|2013-04-16|Pmc Sierra Ltd|System for redundancy in Ethernet passive optical networks | US9185555B2|2010-04-22|2015-11-10|Futurewei Technologies, Inc.|Method for authentication of a wireless backup system for an optical network unit| KR20120073869A|2010-12-27|2012-07-05|한국전자통신연구원|Method for transmitting oam message and processing error in pon system| CN102395056B|2011-06-29|2017-09-26|中兴通讯股份有限公司|The collocation method of virtual local area network model, system| CN102571350B|2011-12-30|2018-04-10|中兴通讯股份有限公司|Optical network unit authentication method and device| US8909929B2|2012-05-31|2014-12-09|Atmel Corporation|Stored public key validity registers for cryptographic devices and systems| US9756036B2|2012-06-15|2017-09-05|Nokia Technologies Oy|Mechanisms for certificate revocation status verification on constrained devices| CN104396162A|2012-06-20|2015-03-04|瑞典爱立信有限公司|Devices and methods for flow control of messages in passive optical networkand methods therein| CN103067204B|2012-12-25|2017-08-04|上海斐讯数据通信技术有限公司|A kind of method that OMCI entities are accessed from application layer| US9535680B2|2013-03-12|2017-01-03|Broadcom Corporation|Flashless optical network unit| TWI504176B|2013-06-14|2015-10-11|Univ Nat Chiao Tung|Wdm optical fiber network system| WO2015024235A1|2013-08-22|2015-02-26|华为技术有限公司|Method, apparatus and system for terminal authentication in passive optical network| EP3435561B1|2013-12-13|2020-03-18|Huawei Technologies Co., Ltd.|Optical line terminal, communications method, and passive optical network system| US9768905B2|2014-06-25|2017-09-19|Futurewei Technologies, Inc.|Optical line terminalsupport of optical network unitcalibration| CN105471603B|2014-08-19|2020-12-11|中兴通讯股份有限公司|Method, device and system for remotely configuring PTPservice of optical network unit| CN105447380A|2014-09-28|2016-03-30|上海贝尔股份有限公司|Method and apparatus for detecting integrity of client code in PONnetwork system| CN104394042B|2014-12-17|2018-01-02|上海斐讯数据通信技术有限公司|A kind of method of MIB tests ONU system upgrades| US10063312B2|2016-06-21|2018-08-28|Futurewei Technologies, Inc.|Optical network unit reset message| US10210317B2|2016-08-15|2019-02-19|International Business Machines Corporation|Multiple-point cognitive identity challenge system| AU2018249485B2|2017-04-03|2021-07-29|Listat Ltd.|Methods and apparatus for hypersecure last mile communication| CN109039600B|2018-07-16|2020-01-07|烽火通信科技股份有限公司|Method and system for negotiating encryption algorithm in passive optical network system| CN109246119B|2018-09-28|2021-09-14|四川天邑康和通信股份有限公司|PON system with authentication information automatic modification function| CN111526107A|2019-02-01|2020-08-11|中国移动通信有限公司研究院|Network equipment authentication method, device and storage medium| US11184085B1|2020-09-03|2021-11-23|Mellanox Technologies, Ltd.|Electro-optical interconnect assembly with integral tampering protection|
法律状态:
2019-01-15| B06F| Objections, documents and/or translations needed after an examination request according [chapter 6.6 patent gazette]| 2020-01-14| B15K| Others concerning applications: alteration of classification|Free format text: AS CLASSIFICACOES ANTERIORES ERAM: H04L 9/08 , H04B 10/00 , H04Q 11/00 Ipc: H04L 9/08 (1990.01), H04L 9/32 (1990.01), H04L 29/ | 2020-01-14| B06U| Preliminary requirement: requests with searches performed by other patent offices: procedure suspended [chapter 6.21 patent gazette]| 2021-04-06| B09A| Decision: intention to grant [chapter 9.1 patent gazette]| 2021-04-20| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 10 (DEZ) ANOS CONTADOS A PARTIR DE 20/04/2021, OBSERVADAS AS CONDICOES LEGAIS. | 2021-05-04| B16B| Notification of grant cancelled|Free format text: ANULADA A PUBLICACAO CODIGO 16.1 NA RPI NO 2624 DE 20/04/2021 POR TER SIDO INDEVIDA. | 2021-05-18| B09W| Decision of grant: rectification|Free format text: DEVIDO A INCORRECOES NO QUADRO 1. |
优先权:
[返回顶部]
申请号 | 申请日 | 专利标题 US23052009P| true| 2009-07-31|2009-07-31| US61/230,520|2009-07-31| US12/844,173|US8850197B2|2009-07-31|2010-07-27|Optical network terminal management control interface-based passive optical network security enhancement| US12/844,173|2010-07-27| PCT/CN2010/075618|WO2011012092A1|2009-07-31|2010-07-31|Optical network terminal management control interface-based passive optical network security enhancement| 相关专利
Sulfonates, polymers, resist compositions and patterning process
Washing machine
Washing machine
Device for fixture finishing and tension adjusting of membrane
Structure for Equipping Band in a Plane Cathode Ray Tube
Process for preparation of 7 alpha-carboxyl 9, 11-epoxy steroids and intermediates useful therein an
国家/地区
|