Professional Documents
Culture Documents
As shown in Figure 4-1, client-side signals are mapped to the payload area in an
OPUk frame, and then OPUk overheads are added to form a lower-order ODUk
frame. Then, multiple ODUk frames are multiplexed into a higher-order ODUj (j =
k + 1 or higher) frame, and then OTU overheads are added to form the final
signal transmitted over an optical fiber.
Figure 4-2 shows the block diagram of an encryption system. Table 4-1 describes
the functions of each system component.
Isolation Capability
Before configuring service encryption, you must complete the following tasks on
the network management system (for example, NCE):
● Create a service. The service to be encrypted must have been created on the
NCE.
● Authorize an encryption administrator account. You must create an encryption
administrator account for each user, allocate encryption port resources, and
inform each user of the account, password, and device IP address.
Users use the SMT to issue encryption management commands. The SMT uses the
SSL/TLSv1.2 protocol to access the SMS on the NE.
Privacy Protection
On the security management tool, a user can set the Encryption Management Key
(EMK) after the NE login using the account and password. Encryption
management key (EMK) is a character string consisting of 8 to 32 bytes. After the
Authentication
Whether the peer end is a legitimate device can be determined based on the
comparison of the calculated values at the source end and sink end.
As shown in Figure 4-5, the source end and sink end use the SHA-256 digest
algorithm to calculate the Message Authentication Code (MAC) value based on
input parameters. If the input parameters are the same and the calculated values
are the same at the two ends, identity authentication is successful. After the
encryption function is enabled, authentication is performed only once. The
authentication is performed again only after services are interrupted.
● Authentication Key (AK): As shown in Figure 4-4, the key exported from
Authentication Info configured by a user is transmitted to the sink end before
key negotiation.
● ID: The ID is computed based on the NE ID, subrack ID, board slot ID, and port
number.
● MAC: The MAC is computed based on random number A, random number B,
ID, and AK using the SHA-256 digest algorithm.
Key Negotiation
Key negotiation between two ends generates a session key.
The source end and sink end generate a public/private key pair by using the Diffie-
Hellman algorithm, and the source-end public key is transmitted to the sink end.
At the sink end, the public key and the sink-end private key are used together to
generate a session key.
During key negotiation, man-in-the-middle attacks may occur. As shown in Figure
4-6, a hacker (C) pretends to be B during communication with A and pretends to
be A during communication with B. Both A and B negotiate a key with C. In this
way, C can communicate with A and B respectively to intercept data.
1. By using the HMAC_SHA256 algorithm, the source end sends the calculated
value repeatedly, and the sink end authenticates the legitimacy of the local
end.
2. The two ends use the PBKDF2 algorithm to calculate a session key based on
the customer key configured by a user.
3. Then, based on the AES-256 algorithm, the SE2900 uses the new session key
for encryption and decryption.
● Before the encryption function is enabled for services for the first time,
because the key is empty, the customer key must be configured for
subsequent encryption operations.
● After the encryption function is enabled, the user can also configure the
customer key. In this case, the key calculation and encryption processes are
repeated.
● Customer key, which is configured by the user and consists of 2048 bits, is
used as the basis of deriving the actual encryption key. The customer key of a
bidirectional service is automatically generated by the two ends, without
requiring manual configuration. The customer key of a unidirectional service
is configured by the user before encryption is enabled or during the
encryption enabling process.
● HMAC-SHA256 is an irreversible encryption algorithm that encrypts
Authentication Info into cipher text and uses an authentication character
string with a length of 1 to 64 bytes to defend against passive attacks.
● Password-Based Key Derivation Function 2 (PBKDF2) is a common algorithm
that uses the pseudo random function to export a key.
● Advanced Encryption Standard (AES) is a symmetric block cipher algorithm.
AES-256 encrypts data in groups of 256 bits in counter mode (CTR). To
decode data encrypted using the AES-256 algorithm, attackers must obtain
much more ciphertext and use much more resources and time, as compared
with decoding data encrypted using traditional encryption algorithms. AES is
widely applied, encrypts data quickly, is easy to hide, and provides high
throughput.
Authentication
The legitimacy of the source end can be authenticated based on the comparison
of the calculated values at the sink end.
As shown in Figure 4-10, the source end and sink end use the HMAC_SHA256
algorithm to calculate hash values, and the sink end compares the hash values to
determine whether the source end is a legitimate device. The subsequent process
can be started only after the authentication succeeds. After the encryption
function is enabled, authentication is performed only once. The authentication is
performed again only after services are interrupted.
During the authentication process of unidirectional service encryption, the source
end needs to repeatedly calculate and send hash values. This is different from the
authentication process of bidirectional service encryption. To defend against replay
attacks, the timestamp difference between the source and sink ends is within 10s.
Key Calculation
The source end and sink end use the PBKDF2 algorithm to calculate a session key
based on the random number generated by the source end and the key identifiers
at the two ends.