US9270651B2ActiveUtilityA1

Authentication and initial key exchange in ethernet passive optical network over coaxial network

86
Assignee: FUTUREWEI TECHNOLOGIES INCPriority: Apr 5, 2013Filed: Apr 2, 2014Granted: Feb 23, 2016
Est. expiryApr 5, 2033(~6.7 yrs left)· nominal 20-yr term from priority
H04L 2463/062H04L 9/0891H04B 10/272H04L 63/068H04L 9/0858H04L 63/062H04L 63/0471H04L 63/061
86
PatentIndex Score
8
Cited by
57
References
5
Claims

Abstract

A method comprising generating an updated security key upon expiration of a key exchange timer, transferring the updated security key to a Coaxial Network Unit (CNU), retaining an original key, wherein the updated security key comprises a different key identification number than the original key, accepting and decrypting upstream traffic that employs either the original key or the updated key, after transferring the updated security key to the CNU, creating a key switchover timer, before the key switchover timer expires, verify that upstream traffic transferred from the CNU on a logical link uses the updated security key, and when upstream traffic is encrypted using the updated security key, begin using the updated security key to encrypt downstream traffic and clear the key switchover timer.

Claims

exact text as granted — not AI-modified
What is claimed is: 
     
       1. An Optical Line Terminal (OLT) comprising:
 a receiver coupled to a Passive Optical Network (PON) and configured to receive a security key request from a Fiber Coaxial Unit (FCU) via the PON wherein the receiver is further configured to receive an upstream message from a Coaxial Network Unit (CNU) via the FCU and an Ethernet PON over Coaxial (EPoC) network; 
 a processor coupled to the receiver and configured to:
 generate a first security key responsive to the security key request from the FCU; 
 encrypt the first security key in a security key response message; 
 encrypt a downstream message with the first security key; 
 decrypt the upstream first security key; and 
 initiate a switchover from the first security key to a second security key upon expiration of a timer; 
 
 a transmitter coupled to the processor and configured to transmit the security key response message comprising the encrypted first security key to the FCU via the PON, wherein the transmitter is further configured to transmit the downstream message toward the CNU via the FCU and the EPoC network, 
 wherein the switchover comprises:
 generating and encrypting the second security key by the processor; 
 transmitting the encrypted second security key toward the CNU by the transmitter; 
 encrypting downstream traffic with the first security key until the receiver receives upstream traffic from the CNU that is encrypted with the second security key; and 
 encrypting downstream traffic with the second security key in response to receiving upstream traffic that is encrypted with the second security key. 
 
 
     
     
       2. The OLT of  claim 1 , wherein the transmitter is further configured to transmit a key switchover verification message to request an acknowledgement that the switchover is complete at the CNU. 
     
     
       3. The OLT of  claim 2 , wherein the transmitter is further configured to transmit the key switchover verification message to request an acknowledgement that the switchover is complete at the FCU. 
     
     
       4. A method comprising:
 generating, by an Optical Line Terminal (OLT), an updated security key upon expiration of a key exchange timer; 
 transferring, by the OLT, the updated security key to an endpoint, wherein the endpoint is at least one of a Fiber Coaxial Unit (FCU) and a Coaxial Network Unit (CNU), wherein the OLT transfers the updated security key to the FCU via a Passive Optical Network (PON) when the endpoint is the FCU, and wherein the OLT transfers the updated security key to the CNU via the FCU and an Ethernet PON over Coaxial (EPoC) network when the endpoint is the CNU; 
 retaining an original security key, wherein the updated security key comprises a different key identification number than the original security key; 
 accepting and decrypting upstream traffic that employs either the original security key or the updated security key; 
 after transferring the updated security key to the endpoint, creating a key switchover timer; 
 before the key switchover timer expires, verify that upstream traffic transferred from the endpoint on a logical link uses the updated security key; and 
 begin, in response to upstream traffic being encrypted using the updated security key, using the updated security key to encrypt downstream traffic and clear the key switchover timer. 
 
     
     
       5. The method of  claim 4 , wherein the original security key and the updated security keys each comprise a 128-bit random key string associated with the logical link.

Cited by (0)

No later patents cite this yet.

References (0)

No backward citations on record.