Secure authentication scheme for 10 Gbit/s Ethernet passive optical networks
Introduction
EPON is a combination of Ethernet and passive optical network, with high bandwidth and low cost and good compatibility, makes the EPON becomes one of the important means access. 10 Gbit/s EPON (10G EPON), as the next generation of EPON, has gained more and more attention, for it can offer bandwidth over 600 Mbps for each optical network unit (ONU) [1], [2], [3], [4]. Optical line terminal (OLT) broadcasts data through downstream channel to ONUs. By introducing the logical link identifier (LLID) filtering rule, ONU could extract the message sent to him from downstream traffic. With the help of dynamic bandwidth allocation algorithms, OLT could regulate upstream data flow from multiple ONUs.
As the structure of 10G EPON is the simple point-to-multi-point (P2MP) topology, the downstream broadcast channel in it is actually available to anyone, since the LLID filtering rule is quite simple and not secure [5]. With access to all downstream data, the privacy is no longer guaranteed and illegal users could forge a legitimate LLID to join the system and launch attacks [6]. Therefore, it is imperative to provide feasible and efficient means to ensure the safety of 10G EPON.
10G EPON contains automatic discovery and registration process, while it does not define relevant authentication method. If malicious ONU wants to join the 10G EPON, the system cannot find it and the network resources will be stolen. To solve the safety hazard in the system, Roh has proposed an authentication scheme with key exchange protocol [7], however, an authentication server is needed, thus, raising the costs. Inácio proposed a mechanism that enhances the safety of system by encrypting the preamble of frames in EPON to ensure the preambles are different in any frames [8], which will increase the delay significantly. Some designed the network architecture to protect the system, but in real world, the deployment of network is various, the proposed methods might be unsuitable. To sum up existing security schemes, the main shortcomings are the complexity of authentication and the unsafe transmission and update of encryption keys [9], [10].
In this paper, we present a novel bilateral authentication scheme without trusted third party for OLT and ONUs. Based on the registration process, this scheme achieve mutual authentication between OLT and ONU using the authentication key. The authentication key is also used to establish the session key. And the session key has freshness. Thus our protocol can be more secure.
The rest of the paper is organized as follows. In Section 2, we first introduce the existing security threats and then define computational Diffie–Hellman (CDH) problem, computational Diffie–Hellman assumption and target collision resistant hash function. In Section 3, we propose a new authentication and encryption scheme. A detailed security analysis is given in Section 4. After that, performance analysis and simulation are presented in Section 5. Finally, a conclusion of this paper is given in Section 6.
Section snippets
Eavesdropping
In 10G EPON, the LLID filtering rule can be easily disabled by simply switching ONU to promiscuous mode, every packet in the downstream traffic can be extracted. So malicious ONU can obtain other ONU's data and could launch more attacks, such as theft-of-service and denial-of-service [11]. Furthermore, the eavesdropping in 10G EPON is totally passive, which means either OLT or ONU could not detect the eavesdroppers during the whole transmission, thus, the confidentiality of data cannot be
The proposed scheme
In this section, we propose a bilateral authentication scheme based on the registration process of ONU. The proposed scheme has strong security. The basic ideas of our construction are as follows:
- 1.
In order to prevent meet-in-the-middle attack, the transmitted data in the register process must be kept in secret and the temporal secret key can achieve dynamic update.
- 2.
To resist impersonation attack, OLT and ONU should authenticate each other in the proper manner, and establish session key to encrypt
Security analysis
In this section, we will discuss the security attributes of the proposed scheme and also compare its security properties with some related schemes. It shows that our scheme is secure. The various known cryptographic attacks are as follows:
Performance analysis
In this section, we compare our proposed scheme with other existing related schemes such as Kim's [21] and Goff's [22]. Goff's scheme adopts a challenge/response way in the symmetric key system to authenticate the scheme. It is indeed achieves the authentication of OLT and ONU. However, it designs four times HMAC-SHA256 computation and two times KD-HMAC-SHA256 in the realization process. Kim's authentication scheme is after the registration request and the whole process is in the public key
Conclusions
In this paper, to solve the security problems in 10G EPON, we propose a novel bilateral authentication scheme and an encryption scheme, which are used to against masquerading and eavesdropping. The authentication is embedded into the registration process using authentication key to verify OLT as well as ONU and establish the session key between them. The encryption scheme uses the hash value of the session key as the initial key of AES-256. Since the session key include timestamp (T) and random
Acknowledgements
This work was partially supported by the National Science Foundation of China under grants 61262079 and Provincial Natural Science Foundation of Jiangxi under grants 20114BAB201026.
References (22)
- et al.
Challenges in next-generation optical access networks: addressing reach extension and security weaknesses
IET Optoelectr.
(2011) - et al.
Analytical modeling of bidirectional multi-channel IEEE 802.11 MAC protocols
Int. J. Commun. Syst.
(2011) - et al.
Optical Access Network Migration from GPON to XG-PON
(2012) - et al.
Hybrid WDM–XDM PON architectures for future proof access networks
Int. J. Adv. Syst. Meas.
(2012) - et al.
IEEE 802.3av 10G-EPON standardization and its research and development status
J. Lightwave Technol.
(2010) - et al.
Security Issues in Integrated EPON and Next-generation WLAN Networks
(2010) - et al.
Design of Authentication and Key Exchange Protocol in Ethernet Passive Optical Networks Computational Science and Its Applications
(2004) - et al.
Preamble Encryption Mechanism for Enhanced Privacy in Ethernet Passive Optical Networks
(2006) - et al.
A novel protection architecture scheme for EPON
Inf. Technol. J.
(2011) - et al.
A unified security framework for WiMAX over EPON access networks
Secur. Commun. Netw.
(2011)
Encryption and Authentication Mechanism of 10G EPON Systems Based on GCM
Cited by (4)
Security solution with signal propagation measurement for Gigabit Passive Optical Networks
2016, OptikCitation Excerpt :Moreover, their solution needs 8 modular exponentiation operations, 2 symmetric encryption operations and 2 hash operations in the authentication and key agreement phase. In Section 4, our solution offers the same security but the number of operations is lower than in [13]. This work is partly based on our previous works [14,15].
Quantitative model checking for assessing the energy impact of a MITM attack on EPONs
2022, Internet Technology LettersSecurity enhanced dynamic bandwidth allocation algorithm against degradation attacks in next generation passive optical networks
2021, Journal of Optical Communications and NetworkingOptical identity authentication technique based on compressive ghost imaging with QR code
2018, Laser Physics Letters