CN117579182B - Service encryption method of passive optical network system, electronic equipment and storage medium - Google Patents

Abstract

The present application discloses a service encryption method, electronic device and storage medium of a passive optical network system, and belongs to the field of communication technology. The technical solution of the present application is to send encryption enable information to the optical network unit ONU, and after enabling the uplink and downlink encryption or the uplink encryption, dynamically switch the encryption algorithm currently negotiated and adopted by the OLT and the ONU through the OMCI entity ONU2‑G; perform key synchronization with the ONU according to the encryption algorithm after dynamic switching; after key synchronization, determine to use a new key or a new encryption algorithm starting from the specified frame according to the target value or Key Index of the superframe counter, and send the target value or Key Index of the superframe counter to the ONU. The present application can realize the requirements of the PON system supporting multiple encryption algorithms and dynamic switching of each algorithm.

Description

Service encryption method, electronic device and storage medium for passive optical network system

Technical Field

The present application relates to the field of communication technology, and in particular to a service encryption method, electronic equipment and storage medium of a passive optical network system.

Background technique

Passive Optical Network (PON) is a broadband passive optical access technology, a point-to-multipoint fiber access technology, which consists of an optical line terminal (OLT) installed in a central control station, a group of optical network units (ONU) installed in user locations, and an optical distribution network (ODN). ODN is usually a point-to-multipoint structure, with one OLT connecting multiple ONUs. The ODN between the OLT and the ONU contains passive devices such as optical fibers and passive splitters or couplers, and does not contain any active devices. PON has the advantages of relatively low cost and convenient and smooth upgrades in fiber optic access, and has become the direction of future access network broadband development.

There are many forms of PON, such as APON (ATM Passive Optical Network, ATM passive optical network, where ATM is asynchronous transfer mode), BPON (Broadband Passive Optical Network, EPON (Ethernet Passive Optical Network, Ethernet Passive Optical Network), GPON (Gigabit Passive Optical Network, Gigabit Passive Optical Network), XGPON (10-Gigabit-capable Passive Optical Networks, 10G Passive Optical Network), XGSPON (10-Gigabit-capable Symmetric Passive Optical Networks, 10G Symmetric Passive Optical Network), etc., but their basic structures are basically the same. In the process of transmitting data, the downstream uses a broadcast method. The OLT at the local end divides the downstream optical signal into multiple channels for each ONU through an optical splitter, and the upstream signal of each ONU is reversely synthesized on one optical fiber through an optical coupler and transmitted to the OLT in multiple tasks.

With the continuous development of optical networks, fiber to the home (FTTH) has been fully rolled out, and its optical line terminal OLT and optical network unit ONU have also been widely used. However, since the current international standard only defines one advanced encryption algorithm for GPON, the research and development requirements of GPON products in the FTTR (Fiber To The Room) scenario must be able to adapt to the application needs of different countries, regions and network operators. Different countries may use different encryption algorithms, and different network operators may also use different encryption algorithms.

The existing technical solutions only consider one data encryption algorithm mode, and do not provide a multi-algorithm mode negotiation process during the configuration phase when the ONU is connected to the OLT. They lack compatible processing for multiple encryption algorithms and cannot meet the requirements of multiple countries, regions and network operators for GPON equipment in FTTR scenarios to support multiple encryption algorithms and dynamic switching of algorithms.

Summary of the invention

The main purpose of this application is to provide a service encryption method, electronic device and storage medium for a passive optical network system, aiming to realize the PON system supporting multiple encryption algorithms and the demand for dynamic switching of each algorithm.

To achieve the above object, the present application provides a service encryption method for a passive optical network system, the service encryption method is applied to an optical line terminal OLT, and includes:

Sending encryption enable information to the optical network unit ONU, wherein the encryption enable information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, dynamically switching the encryption algorithm currently negotiated and adopted by the OLT and the ONU through the OMCI entity ONU2-G;

Perform key synchronization with the ONU according to the encryption algorithm after the dynamic switching;

After key synchronization, it is determined to use a new key or a new encryption algorithm starting from a specified frame according to a target value or Key Index of a superframe counter, and the target value or Key Index of the superframe counter is sent to the ONU.

In addition, to achieve the above-mentioned purpose, the present application provides a service encryption method of a passive optical network system, the service encryption method is applied to an optical network unit ONU, comprising:

Receiving encryption enabling information sent by an optical line terminal OLT, wherein the encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, dynamically switching the encryption algorithm currently negotiated and adopted by the OLT and the ONU through the OMCI entity ONU2-G;

Performing key synchronization with the OLT according to the dynamically switched encryption algorithm;

After key synchronization, a target value of a superframe counter or a Key Index sent by the OLT is received, and a new key or a new encryption algorithm is determined to be used starting from a specified frame according to the target value of the superframe counter or the Key Index.

In addition, to achieve the above-mentioned purpose, the present application also provides a service encryption method of a passive optical network system, the service encryption method is applied to an FTTR main device MFU, comprising:

Sending encryption enabling information to the FTTR slave device SFU, wherein the encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G;

Perform key synchronization with the SFU according to the encryption algorithm after the dynamic switch;

After key synchronization, it is determined to use a new key or a new encryption algorithm starting from a specified frame according to the target value of the superframe counter or the Key Index, and the target value of the superframe counter or the Key Index is sent to the SFU.

In addition, to achieve the above-mentioned purpose, the present application also provides a service encryption method of a passive optical network system, the service encryption method is applied to a FTTR slave device SFU, comprising:

Receive encryption enabling information sent by the FTTR master device MFU, wherein the encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G;

Perform key synchronization with the MFU according to the dynamically switched encryption algorithm;

After key synchronization, the target value of the superframe counter or the Key Index sent by the MFU is received, and according to the target value of the superframe counter or the Key Index, it is determined to use a new key or a new encryption algorithm starting from a specified frame.

In addition, to achieve the above-mentioned purpose, the present application also provides an electronic device, which includes: a memory, a processor, and a service encryption program of a passive optical network system stored in the memory and runnable on the processor, and when the service encryption program of the passive optical network system is executed by the processor, the service encryption method of the passive optical network system as described above is implemented.

In addition, to achieve the above-mentioned purpose, the present application also provides a storage medium, which is a computer-readable storage medium, and a service encryption program of a passive optical network system is stored on the computer-readable storage medium. When the service encryption program of the passive optical network system is executed by a processor, the service encryption method of the passive optical network system as described above is implemented.

The present application proposes a service encryption method, electronic device and storage medium of a passive optical network system. In the service encryption method of the passive optical network system, the technical solution of the embodiment of the present application is to send encryption enabling information to an optical network unit ONU, wherein the encryption enabling information is used to indicate that encryption is not enabled, only uplink encryption is enabled, only downlink encryption is enabled or uplink and downlink encryption is enabled. Then, after enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the OLT and the ONU is dynamically switched through the OMCI entity ONU2-G of the OMCI device. According to the encryption algorithm after the dynamic switching, key synchronization is performed with the ONU. After key synchronization, according to the target value or Key Index of the superframe counter, it is determined to use a new key or a new encryption algorithm from a specified frame, and the target value or Key Index of the superframe counter is sent to the ONU to notify the ONU to use the new key or the new encryption algorithm from a specified frame to implement encryption and decryption of the uplink service message, so that in FTTR (Fiber To The The GPON asymmetric and GPON symmetric in the FTTR (Fiber to the Room) scenario increase uplink encryption, so that various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) can support uplink and downlink encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies, effectively realizing the PON system to support multiple encryption algorithms and the dynamic switching of algorithms.

BRIEF DESCRIPTION OF THE DRAWINGS

In order to more clearly illustrate the embodiments of the present application or the technical solutions in the prior art, the drawings required for use in the embodiments or the description of the prior art will be briefly introduced below. Obviously, the drawings described below are only some embodiments of the present application. For ordinary technicians in this field, other drawings can be obtained based on the structures shown in these drawings without paying any creative work.

FIG1 is a schematic flow chart of a service encryption method for a passive optical network system in a first embodiment of the present application;

2 is a schematic diagram of a flow chart of a service encryption method for a passive optical network system in a second embodiment of the present application;

FIG. 3 is a structural block diagram of an electronic device according to an exemplary embodiment of the present application.

Detailed ways

Exemplary embodiments will be described in detail herein, examples of which are shown in the accompanying drawings. When the following description refers to the drawings, unless otherwise indicated, the same numbers in different drawings represent the same or similar elements. The implementations described in the following exemplary embodiments do not represent all implementations consistent with the present application. Instead, they are merely examples of devices and methods consistent with some aspects of the present application as detailed in the appended claims.

With the continuous development of optical networks, fiber to the home (FTTH) has been fully rolled out, and its central office products (OLT, Optical Line Terminal) and terminal products (ONU, Optical Network Unit) have also been widely used. In the passive optical network system, passive optical network equipment can be divided into Gigabit passive optical network equipment (GPON, Gigabit-capable Passive Optical Network), 10G passive optical network equipment (XGPON, 10-Gigabit-capable Passive Optical Networks), 10G symmetric passive optical network equipment (XGSPON, 10-Gigabit-capable Symmetric Passive Optical Networks), 50G high-speed passive optical network equipment (HSPON, Higher speed passive optical networks), and the 100G PON currently under research. These passive optical network system architectures generally include optical network terminals OLT, optical network units ONU and optical distribution networks (ODN, Optical Distribution Network).

In the ITU-T series of standards, the encryption algorithm for different modes of PON access technology is the AES-128 encryption algorithm, but the encryption direction is slightly different. GPON asymmetric and GPON symmetric only encrypt the downstream direction, while XGPON asymmetric and XGPON symmetric encrypt both the downstream and upstream directions. In the FTTR (Fiber To The Room) scenario and the G.fin series of standards, different modes of PON access technology (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) need to support multiple encryption algorithms (including but not limited to AES-128, AES-256, Camellia-128, Camellia-256 and SM4) and dynamic algorithm switching in both the downstream and upstream directions.

The existing related technologies do not provide effective solutions to the above problems. How to solve the above problems in practical applications has become a problem that needs to be solved in the FTTR scenario.

From the above introduction to the PON international standard, it can be seen that the existing technical solutions only consider one data encryption algorithm mode, do not provide a multi-algorithm mode negotiation process in the configuration stage when the ONU is connected to the OLT, lack compatible processing for multiple encryption algorithms, and cannot meet the requirements of multiple countries, regions and network operators for PON equipment to support multiple encryption algorithms and dynamic switching of algorithms.

Based on this, please refer to Figure 1, which is a flow chart of a service encryption method for a passive optical network system in the first embodiment of the present application. As shown in Figure 1, the service encryption method is applied to an optical line terminal OLT, and the service encryption method for a passive optical network system mainly includes the following steps.

Step S100, sending encryption enabling information to the optical network unit ONU;

The encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or both uplink and downlink encryption are enabled.

The service encryption method of the passive optical network system in the embodiment of the present application can be applied to PON system home or enterprise networking applications, as well as FTTR scenarios, etc., and this embodiment does not make specific limitations.

It is known to those skilled in the art that the PLOAM (Physical Layer Operations Administration and Maintenance) message refers to the physical layer operation management and maintenance of the transmission convergence layer system protocol stack in the GPON protocol layer. The OMCI (ONU Management and Control Interface) message is a protocol for information exchange between OLT and ONU defined in the GPON standard, and is used for the management of ONU by OLT in the GPON network, including configuration management, fault management, performance management, and security management.

In this embodiment, the encryption enabling information can be sent to the optical network unit ONU via a PLOAM message or an OMCI message. Specifically, the encryption enabling information can carry an encryption enabling flag, which is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or both uplink and downlink encryption are enabled.

Exemplarily, the encryption enabling information carries the encryption enabling flag in the following manners, including:

Step A10, carrying the encryption enable flag by the designated bit of the PTI (Payload Type Indicator) field in the encryption enable information, wherein the designated bit value is the first designated value indicating that encryption is not enabled, the designated bit value is the second designated value indicating that only uplink encryption is enabled, the designated bit value is the third designated value indicating that only downlink encryption is enabled, and the designated bit value is the fourth designated value indicating that uplink and downlink encryption are enabled.

In this embodiment, it is easy to understand that the first specified value, the second specified value, the third specified value and the fourth specified value are all different. Different specified values indicate different encryption modes.

The embodiment of the present application can realize uplink and downlink encryption enabling for various PON modes. For different application scenarios, various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) support encryption enabling actions through standard PLOAM messages, OMCI messages or custom PLOAM messages, OMCI messages, including four uplink and downlink encryption enabling strategies: not enabling encryption, enabling uplink encryption only, enabling downlink encryption only, and enabling uplink and downlink encryption.

Furthermore, the embodiment of the present application can realize hybrid encryption of different ONUs under the same PON port. Different ONUs under the same PON port can use different encryption algorithms according to the importance of different services. The OLT configures the encryption algorithm of each ONU through the OMCI entity ONU2-G. Specifically, all ONUs under the same PON port can be configured as the same encryption algorithm through broadcasting, or a certain ONU or a group of ONUs can be specified to be configured as an encryption algorithm through unicast and multicast configuration.

The embodiment of the present invention adds uplink encryption and frame interval configuration rules to GPON asymmetric and GPON symmetric PON modes, adds uplink and downlink encryption enabling strategies, SM4 encryption algorithms, and encryption algorithm dynamic switching strategies to various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes), and proposes a hybrid encryption strategy for different ONUs under the same PON port of the OLT, thereby realizing the FTTR encryption method.

After step S100, step S200 is performed, after enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the OLT and the ONU is dynamically switched through the OMCI (ONU Management and Control Interface) entity ONU2-G;

Generally speaking, a PON system consists of three parts: OLT (Optical Line Termination), ODN (Optical Distribution Network) and ONU/ONT.

(Optical Network Unit/Optical Network Termination). OLT provides a network-side interface (SNI, Service Network Interface) for the PON system, connecting one or more ODNs. Passive optical splitters split the OLT's downstream data to each ONU, and aggregate the upstream data of multiple ONUs/ONTs to the OLT.

Those skilled in the art will know that the transmission from OLT to ONU is called downlink, and the reverse is called uplink.

In this embodiment, since the ONU and the OLT have completed key synchronization, during the uplink encryption process, the keys currently used by the ONU and the OLT are consistent, and the OLT and the ONU can use the same key for encryption/decryption, and no uplink frame loss will occur.

The initiator of the key negotiation process for dynamic switching of the encryption algorithm in this embodiment is not necessarily the OLT, but may be the ONU, or may be jointly initiated by both parties, which is not specifically limited in this embodiment.

In one example, the key negotiation can be performed by the OLT and the ONU generating an encryption key based on a random number and system parameters. The transmission number generated by the random number and the system parameters is transmitted during the entire negotiation process, so that even if the eavesdropper obtains the transmission number or even the system parameters, the encryption key cannot be obtained because the random number is not known. Compared with the direct transmission of the plaintext key through the network in the related art, the security of the key negotiation process can be greatly improved. In addition, the transmission number or response message sent by this embodiment is sent multiple times after being fragmented. Sending data in fragments can effectively improve the security of data transmission, and the multiple transmission method can improve the reliability of data transmission. If any fragment fails to be received each time when the OLT or ONU receives the transmission number, the request to update the encryption key message is resent; if the number of consecutive requests to update the encryption key message is greater than the predetermined number of requests to update the encryption key message, the key negotiation is declared to have failed.

It should be noted that the encryption algorithms currently negotiated and adopted by the OLT and the ONU include but are not limited to: AES-128, AES-256, Camellia-128, Camellia-256 and SM4 encryption algorithms.

Among them, it is known to those skilled in the art that the OMCI entity ONU2-G is a virtual device or physical unit for dynamically switching the encryption algorithm in the prior art, which will not be repeated here. It should be noted that the OMCI entity ONU2-G is not currently used for dynamically switching the encryption algorithm for uplink transmission data.

In this embodiment, in the process of dynamically switching the encryption algorithm according to the OMCI entity ONU2-G, various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) support multiple encryption algorithms (including but not limited to AES-128, AES-256, Camellia-128, Camellia-256 and SM4). Specifically, the ONU reports the encryption algorithm supported by the ONU to the OLT through the Security capability attribute in the OMCI entity ONU2-G, and the Security mode attribute in the entity ONU2-G is set to a specific value when the ONU is instantiated, such as setting it to 1, that is, using the AES-128 encryption algorithm.

Exemplarily, OLT sets the encryption algorithm of ONU through the Security mode attribute in OMCI entity ONU2-G. If the Security mode value in OMCI entity ONU2-G is 1, the encryption algorithm is switched to AES-128 encryption algorithm. If the Security mode value in OMCI entity ONU2-G is 5, the encryption algorithm is switched to SM4 encryption algorithm. The switching of encryption algorithm is realized after ONU responds.

After step S200, step S300 is executed to synchronize keys with the ONU according to the encryption algorithm after the dynamic switching;

Step S400, after key synchronization, determine to use a new key or a new encryption algorithm starting from a specified frame according to a target value of a superframe counter or a Key Index, and send the target value of the superframe counter or the Key Index to the ONU.

Exemplarily, determining to use a new key or a new encryption algorithm starting from a specified frame according to a target value of a superframe counter or a Key Index includes:

In the case where the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a new key or a new encryption algorithm is used starting from a specified frame according to a target value of a superframe counter;

In the case where the passive optical network system is an XGPON or XGSPON system, a new key or a new encryption algorithm is used starting from a specified frame according to a change in the Key Index.

In this embodiment, the target value or KeyIndex of the superframe counter may be sent to the ONU via a PLOAM message or an OMCI message.

Exemplarily, the OLT and all the ONUs use the synchronized superframe counter, the superframe counter includes an intra-frame counter and an inter-frame counter, the width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. For the uplink encryption, the intra-frame counter is set to 0 at the beginning of the uplink frame and increments every 4 bytes. The inter-frame counter is included in the GTC Header field of the downstream GTC (GPON Transmission Convergence) frame, and the GTC Header field specifies the uplink GTC burst for transmitting the uplink GEM frame.

Further, in the case where the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in the upstream direction, the burst of the GTC framing sublayer is divided into a plurality of data blocks of 4 bytes, and each of the data blocks is sequentially numbered from S to (S+X);

Wherein, S=|_targetStartTime/m_|, targetStartTime is the StartTime of the first allocation (i.e., allocation) of the DLL (Dynamic Link Library) framing sublayer burst, StartTime is used to indicate the start time of the bandwidth allocation time slot, and X is the number of data blocks minus one (i.e., X is the number of data blocks in the GTC uplink burst minus one),

m is a preset value for the uplink data transmission rate, where for 1.25G uplink, m=4, and for 2.5G uplink, m=2;

The superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC (forward error correction) check bytes.

In this embodiment, it should be noted that in the CTR (counter mode), the OLT and all ONUs use a synchronized superframe counter (SFC). The width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. The intra-frame counter is set to 0 at the beginning of the uplink and downlink frames and increments every 4 bytes. The value of the intra-frame counter in the uplink and downlink encryption may include all FEC (forward error correction) check bytes. Of course, the value of the intra-frame counter in the uplink and downlink encryption may not include all FEC check bytes, and this embodiment does not make specific limitations on this.

Specifically, the intra-frame counter starts at 0 (the first byte of the GTC Header) at the beginning of the downstream frame and increases every 4 bytes. In a system with a downstream rate of 2.488 Gbit/s, the intra-frame counter ranges from 0 to 9719.

In the upstream direction, the GTC framing sublayer bursts are divided into 4-byte blocks, which are numbered sequentially from S to (S+X). Here S=|_StartTime/m_|, where m=4 for 1.25G upstream and m=2 for 2.5G upstream. |_xxx_| means xxx is rounded down, StartTime is the StartTime of the first allocation of the DLL framing sublayer burst, and X is the number of complete and incomplete 4-byte blocks in the GTC upstream burst minus 1. It should be noted that the encryption process precedes FEC. However, the values of the intra-frame counters come from the transmitted frames, so in general, the values of the downstream and upstream intra-frame counters should include all FEC check bytes, and the scrambling process is finally performed.

In the upstream direction, the inter-frame counter is contained in the PCBd (Physical Control Blockdownstream) field of the downstream GTC frame, which specifies the upstream burst for transmitting the upstream GTC frame. The ONU implements a synchronized local counter so that errors in this field can be corrected. The random cipher block is aligned with the start of the GEM payload.

In this embodiment, only the payload of the GEM frame/slice is encrypted, and the GEM frame header is not encrypted. Since the GEM slice is not necessarily a complete coded block, the tail data block (length is 1 to 16 bytes) and the MSB of the tail cipher block (length is 16 bytes) are XORed. The rest of the tail cipher block will be discarded.

In one embodiment, the designated frame is an information frame corresponding to when the value of the superframe counter reaches the target value. According to the target value of the superframe counter, the step of using a new decryption key for decryption starting from the designated frame is determined, which may specifically include: according to the target value of the superframe counter, when the value of the superframe counter configured on the ONU side reaches the target value, starting to use the new decryption key, wherein the superframe counter configured on the ONU side is synchronized with the superframe counter configured on the ONT side.

After key synchronization, this embodiment can determine to use a new key or a new encryption algorithm from a specified frame according to a target value or Key Index of a superframe counter, and send the target value or Key Index of the superframe counter to the ONU through a PLOAM message or an OMCI message to notify the ONU to use the new key or the new encryption algorithm from the specified frame. This can avoid the problem of inconsistent activation time of the new key or the new encryption algorithm caused by the interaction of messages between the OLT and the ONU, realize seamless switching of Port-ID encryption and decryption, and ensure that there is no packet loss in the upstream data stream.

It is worth mentioning that the embodiment of the present application provides a method for implementing FTTR (Fiber to the Rome) encryption. For GPON asymmetry and GPON symmetry in the FTTR scenario, it is possible to add upstream encryption and inter-packet gap (IPG) configuration rules. For various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes), upstream and downstream encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies are added; a hybrid encryption strategy is proposed for different ONUs under the same PON port of the OLT.

It should be noted that all embodiments of the present application can work in FTTR scenarios and G.fin series standards, and can also work in other scenarios, and the present application does not limit this.

The present application proposes a service encryption method, electronic device and storage medium of a passive optical network system. In the service encryption method of the passive optical network system, the technical solution of the embodiment of the present application is to send encryption enabling information to an optical network unit ONU, wherein the encryption enabling information is used to indicate that encryption is not enabled, only uplink encryption is enabled, only downlink encryption is enabled or uplink and downlink encryption is enabled. Then, after enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the OLT and the ONU is dynamically switched through the OMCI entity ONU2-G of the OMCI device. According to the encryption algorithm after the dynamic switching, key synchronization is performed with the ONU. After key synchronization, according to the target value or Key Index of the superframe counter, it is determined to use a new key or a new encryption algorithm from a specified frame, and the target value or Key Index of the superframe counter is sent to the ONU to notify the ONU to use the new key or the new encryption algorithm from a specified frame to implement encryption and decryption of the uplink service message, so that in FTTR (Fiber To The The GPON asymmetric and GPON symmetric in the FTTR (Fiber to the Room) scenario increase uplink encryption, so that various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) can support uplink and downlink encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies, effectively realizing the PON system to support multiple encryption algorithms and the dynamic switching of algorithms.

To help understand the embodiments of the present application, the technical principles of key interaction and update between the OLT and the ONU in a specific embodiment are listed, including:

In this embodiment, after the encryption algorithm is switched according to the OMCI entity ONU2-G, the OLT and the ONU perform key interaction and update through a series of PLOAM messages.

For the two PON modes, GPON asymmetric and GPON symmetric, the OLT requests a new key from the ONU by sending a downstream PLOAM message Request_Key, and the ONU responds by generating, storing, and sending the key to the OLT via the upstream PLOAM message Encryption_Key. Due to the length limit of the PLOAM message, the key is split into two parts and sent, and the Frag_Index field is used to indicate which part of the key is being sent. Both parts of the key are sent three times. The Key_Index field is used to indicate which ONU the key being sent belongs to. If the OLT fails to successfully receive any part of the key three times, the OLT will request the ONU to generate another key by sending a new Request_Key message. If the key transmission fails three times, the OLT shall declare that the key synchronization is lost and deactivate the ONU. If the OLT successfully receives the key, it will store the verified key in the Shadow_Key_Register.

After the OLT successfully receives the key, it will update the key. The OLT sends the value of the super-frame counter (SFC) to the ONU through the PLOAM message Key_Switching_Time. The message will be sent three times. The ONU only needs to receive one of them to obtain the time of the key update, that is, from which frame to update the key or the new encryption algorithm. At the beginning of the specified frame, the OLT copies the content of the Shadow_Key_Register to the Active_Key_Register, and the ONU assigns its Shadow_Key_Register to the Active_Key_Register. After the specified frame, both the OLT and the ONU start using the new key or the new encryption algorithm to complete the key update.

For the two PON modes of GPON asymmetric and GPON symmetric, after the encryption algorithm is switched, the SFC value (ie, the target value of the superframe counter mentioned above) sent by the OLT received by the key update ONU is used as the benchmark for taking effect.

It should be noted that the many details described in this specific embodiment are only helpful for understanding the technical principles or technical concepts of the present application, and do not constitute a limitation of the present application. More simple transformations based on the technical concepts of the present application should all be within the scope of protection of the present application.

In a possible implementation manner, the step S300, the step of performing key synchronization with the ONU according to the encryption algorithm after the dynamic switching, includes:

Step S310, instructing the ONU to generate a new key according to the encryption algorithm after the dynamic switching;

In this embodiment, the OLT may instruct the ONU to generate a new key by sending a key request message Request_Key message.

Specifically, according to the algorithm type corresponding to the encryption algorithm after dynamic switching, the ONU is instructed to generate a new key. For example, if the algorithm type corresponding to the encryption algorithm after dynamic switching is SM4, the new key generated by the ONU is a new key generated based on the SM4 algorithm.

Step S320, after receiving the new key reported by the ONU, specify a key switching time at which the new key becomes effective, and notify the ONU of the key switching time;

In this embodiment, the OLT may notify the ONU of the key switching time by sending a key switching time message Key_Switching_Time message.

Step S330: after receiving the response of receiving the key switching time fed back by the ONU, the new key is set to the register of the currently used key at the key switching time.

After receiving the key switching time sent by the OLT, the ONU will feed back a response of receiving the key switching time to the ONU.

In this embodiment, specifically, the OLT and the ONU may interact using messages in the ITU-T G.984.3 standard, wherein the OLT instructs the ONU to generate a new key by sending a key request message Request_Key message, and notifies the ONU of the key switching time by sending a key switching time message Key_Switching_Time message. After the key is synchronized, the ONU may be notified to turn on the decryption function of the GEM-PORT by sending a GEM-PORT encryption message Encrypted_Port_ID message. The ONU reports the new key to the OLT by sending a key request response message Encryption_Key message, and notifies the OLT that the key switching time has been received by sending an Acknowledge message.

This embodiment instructs the ONU to generate a new key according to the encryption algorithm after dynamic switching, specifies the key switching time when the new key becomes effective after receiving the new key reported by the ONU, and notifies the ONU of the key switching time. Then, after receiving the response of receiving the key switching time fed back by the ONU, the new key is set to the register of the currently used key at the key switching time, thereby ensuring that the key switching time on the ONU and OLT sides are consistent. If they are inconsistent, the OLT will not receive the data sent by the ONU.

In a possible implementation manner, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, the target value of the superframe counter is sent to the ONU through a PLOAM message, wherein the step of sending the target value of the superframe counter to the ONU includes:

Step B10: Send an Encrypted_Port_ID message to the ONU, wherein the Encrypted_Port_ID message carries the target value of the superframe counter.

In this embodiment, after the key synchronization, the OLT may enable the encryption function of the GPON encapsulation method channel (GEM-PORT), and notify the ONU to enable the decryption function of the GEM-PORT by sending a GEM-PORT encryption message Encrypted_Port_ID message.

This embodiment sends an Encrypted_Port_ID message to the ONU, wherein the Encrypted_Port_ID message carries the target value of the superframe counter. Thus, the embodiment of the present application can avoid the problem of information frame asynchronization caused by the use of new keys or new encryption algorithms due to message interaction between the OLT and the ONU, realize seamless switching of Port-ID encryption and decryption, ensure that the upstream data flow is not lost, and fully ensure the reliability of data interaction between the OLT and the ONU.

In addition, in order to achieve the above-mentioned purpose, please refer to FIG. 2, which is a flow chart of a service encryption method for a passive optical network system in a second embodiment of the present application. As shown in FIG. 2, the present application embodiment also proposes a service encryption method for a passive optical network system, and the service encryption method is applied to an optical network unit ONU, including:

Step S500, receiving encryption enabling information sent by the optical line terminal OLT;

In this embodiment, encryption enabling information sent by an optical line terminal OLT may be received.

The encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or both uplink and downlink encryption are enabled.

The service encryption method of the passive optical network system in the embodiment of the present application can be applied to PON system home or enterprise networking applications, as well as FTTR scenarios, etc., and this embodiment does not make specific limitations.

It is known to those skilled in the art that the PLOAM (Physical Layer Operations Administration and Maintenance) message refers to the physical layer operation management and maintenance of the transmission convergence layer system protocol stack in the GPON protocol layer. The OMCI (ONU Management and Control Interface) message is a protocol for information exchange between OLT and ONT defined in the GPON standard, and is used for the management of ONT by OLT in the GPON network, including configuration management, fault management, performance management, and security management.

Specifically, the encryption enable information may carry an encryption enable flag, and the encryption enable flag is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or both uplink and downlink encryption are enabled.

Exemplarily, the encryption enabling information carries the encryption enabling flag in the following manners, including:

Step C10, carrying the encryption enable flag by the designated bit of the PTI (Payload Type Indicator) field in the encryption enable information, wherein the designated bit value is the first designated value indicating that encryption is not enabled, the designated bit value is the second designated value indicating that only uplink encryption is enabled, the designated bit value is the third designated value indicating that only downlink encryption is enabled, and the designated bit value is the fourth designated value indicating that uplink and downlink encryption are enabled.

In this embodiment, it is easy to understand that the first specified value, the second specified value, the third specified value and the fourth specified value are all different. Different specified values indicate different encryption modes.

The embodiment of the present application can realize uplink and downlink encryption enabling for various PON modes. For different application scenarios, various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) all support encryption enabling actions through standard PLOAM messages, OMCI messages or custom PLOAM messages, OMCI messages, including four uplink and downlink encryption enabling strategies: not enabling encryption, enabling uplink encryption only, enabling downlink encryption only, and enabling uplink and downlink encryption.

Furthermore, the embodiment of the present application can realize hybrid encryption of different ONUs under the same PON port. Different ONUs under the same PON port can use different encryption algorithms according to the importance of different services. The OLT configures the encryption algorithm of each ONU through the OMCI entity ONU2-G. Specifically, all ONUs under the same PON port can be configured as the same encryption algorithm through broadcasting, or a certain ONU or a group of ONUs can be specified to be configured as an encryption algorithm through unicast and multicast configuration.

The embodiment of the present invention adds uplink encryption and frame interval configuration rules to GPON asymmetric and GPON symmetric PON modes, adds uplink and downlink encryption enabling strategies, SM4 encryption algorithms, and encryption algorithm dynamic switching strategies to various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes), and proposes a hybrid encryption strategy for different ONUs under the same PON port of the OLT, thereby realizing the FTTR encryption method.

After step S500, step S600 is performed, after enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the OLT and the ONU is dynamically switched through the OMCI entity ONU2-G;

Generally speaking, a PON system consists of three parts: OLT (Optical Line Termination), ODN (Optical Distribution Network) and ONU/ONT.

(Optical Network Unit/Optical Network Termination). OLT provides a network-side interface (SNI, Service Network Interface) for the PON system, connecting one or more ODNs. Passive optical splitters split the OLT's downstream data to each ONU, and aggregate the upstream data of multiple ONUs/ONTs to the OLT.

Those skilled in the art will know that the transmission from OLT to ONU is called downlink, and the reverse is called uplink.

In this embodiment, since the ONU and the OLT have completed key synchronization, during the uplink encryption process, the keys currently used by the ONU and the OLT are consistent, and the OLT and the ONU can use the same key for encryption/decryption, and no uplink frame loss will occur.

In this embodiment, the initiator of the key negotiation process for dynamic switching of the encryption algorithm is not necessarily the OLT, but may be the ONU, or may be jointly initiated by both parties, which is not specifically limited in this embodiment.

In one example, the key negotiation can be performed by the OLT and the ONU generating an encryption key based on a random number and system parameters. The transmission number generated by the random number and the system parameters is transmitted during the entire negotiation process, so that even if the eavesdropper obtains the transmission number or even the system parameters, the encryption key cannot be obtained because the random number is not known. Compared with the direct transmission of the plaintext key through the network in the related art, the security of the key negotiation process can be greatly improved. In addition, the transmission number or response message sent by this embodiment is sent multiple times after being fragmented. Sending data in fragments can effectively improve the security of data transmission, and the multiple transmission method can improve the reliability of data transmission. If any fragment fails to be received each time when the OLT or ONU receives the transmission number, the request to update the encryption key message is resent; if the number of consecutive requests to update the encryption key message is greater than the predetermined number of requests to update the encryption key message, the key negotiation is declared to have failed.

It should be noted that the encryption algorithms currently negotiated and adopted by the OLT and the ONU include but are not limited to: AES-128, AES-256, Camellia-128, Camellia-256 and SM4 encryption algorithms.

Among them, it is known to those skilled in the art that the OMCI entity ONU2-G is a virtual device or physical unit for dynamically switching the encryption algorithm in the prior art, which will not be repeated here. It should be noted that the OMCI entity ONU2-G is not currently used for dynamically switching the encryption algorithm for uplink transmission data.

In this embodiment, in the process of dynamically switching the encryption algorithm according to the OMCI entity ONU2-G, various PON modes (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) support multiple encryption algorithms (including but not limited to AES-128, AES-256, Camellia-128, Camellia-256 and SM4). Specifically, the ONU reports the encryption algorithm supported by the ONU to the OLT through the Security capability attribute in the OMCI entity ONU2-G, and the Security mode attribute in the entity ONU2-G is set to a specific value when the ONU is instantiated, such as setting it to 1, that is, using the AES-128 encryption algorithm.

Exemplarily, OLT sets the encryption algorithm of ONU through the Security mode attribute in OMCI entity ONU2-G. If the Security mode value in OMCI entity ONU2-G is 1, the encryption algorithm is switched to AES-128 encryption algorithm, and if the Security mode value in OMCI entity is 5, it is switched to SM4 encryption algorithm. The switching of encryption algorithm is realized after ONU responds.

After step S600, step S700 is executed to synchronize keys with the OLT according to the encryption algorithm after the dynamic switch;

Step S800: after key synchronization, receiving the target value of the superframe counter or the Key Index sent by the OLT, and determining to use a new key or a new encryption algorithm starting from a specified frame according to the target value of the superframe counter or the Key Index.

Exemplarily, determining to use a new key or a new encryption algorithm starting from a specified frame according to a target value of a superframe counter or a Key Index includes:

In the case where the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a new key or a new encryption algorithm is used starting from a specified frame according to a target value of a superframe counter;

In the case where the passive optical network system is an XGPON or XGSPON system, a new key or a new encryption algorithm is used starting from a specified frame according to a change in the Key Index.

In this embodiment, the target value or Key Index of the superframe counter sent by the OLT may be received through a PLOAM message or an OMCI message.

Exemplarily, the OLT and all the ONUs use the synchronized superframe counter, the superframe counter includes an intra-frame counter and an inter-frame counter, the width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. For the uplink encryption, the intra-frame counter is set to 0 at the beginning of the uplink frame and increments every 4 bytes. The inter-frame counter is included in the GTC Header field of the downstream GTC frame, and the GTC Header field specifies the uplink GTC burst for transmitting the uplink GEM frame.

Specifically, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in the upstream direction, the burst of the GTC framing sublayer is divided into a plurality of data blocks of 4 bytes, and each of the data blocks is sequentially numbered from S to (S+X);

Wherein, S=|_targetStartTime/m_|, targetStartTime is the StartTime of the first allocation of the DLL framing sublayer burst, StartTime is used to indicate the start time of the bandwidth allocation time slot, X is the number of data blocks minus one (i.e., X is the number of data blocks in the GTC uplink burst minus one),

m is a preset value for the uplink data transmission rate, where for 1.25G uplink, m=4, and for 2.5G uplink, m=2;

The superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

It should be noted that in CTR (counter mode), the OLT and all ONUs use a synchronized superframe counter (SFC). The width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. The intra-frame counter is set to 0 at the beginning of the downlink frame and increments every 4 bytes. The value of the superframe counter in uplink and downlink encryption may include all FEC (forward error correction) check bytes. Of course, the value of the superframe counter in uplink and downlink encryption may not include all FEC check bytes, and this embodiment does not make specific limitations on this.

Specifically, the intra-frame counter is 0 at the beginning of the downstream frame (the first byte of the PHY Header) and increments every 4 bytes. In a system with a downstream rate of 2.488 Gbit/s, the intra-frame counter ranges from 0 to 9719.

In the upstream direction, the bursts of the DLL (Dynamic Link Library) framing sublayer are divided into 4-byte blocks, which are numbered sequentially from S to (S+X). Here S=|_StartTime/m_|, where m=4 for 1.25G upstream and m=2 for 2.5G upstream. |_xxx_| means xxx is rounded down, StartTime is the StartTime of the first allocation of the DLL framing sublayer burst, and X is the number of complete and incomplete 4-byte blocks in the DLL burst minus 1. It should be noted that the encryption process precedes FEC. However, the values of the intra-frame counters come from the transmitted frames, so in general, the values of the downstream and upstream intra-frame counters should include all FEC check bytes, and the scrambling process is finally performed.

In the upstream direction, the inter-frame counter is contained in the PCBd (Physical Control Blockdownstream) field of the downstream GTC frame, which specifies the upstream burst for transmitting the upstream GTC frame. The ONU implements a synchronized local counter so that errors in this field can be corrected. The random cipher block is aligned with the start of the GEM payload.

In this embodiment, only the payload of the GEM frame/slice is encrypted, and the GEM frame header is not encrypted. Since the GEM slice is not necessarily a complete coded block, the tail data block (length is 1 to 16 bytes) and the MSB of the tail cipher block (length is 16 bytes) are XORed. The rest of the tail cipher block will be discarded.

In one embodiment, the designated frame is an information frame corresponding to when the value of the superframe counter reaches the target value. According to the target value of the superframe counter, the step of using a new decryption key for decryption starting from the designated frame is determined, which may specifically include: according to the target value of the superframe counter, when the value of the superframe counter configured on the ONU side reaches the target value, starting to use the new decryption key, wherein the superframe counter configured on the ONU side is synchronized with the superframe counter configured on the ONT side.

After key synchronization, this embodiment can receive the target value or Key Index of the superframe counter sent by the OLT through a PLOAM message or an OMCI message, and determine to use a new key or a new encryption algorithm starting from a specified frame according to the target value or Key Index of the superframe counter, thereby avoiding the problem of inconsistent activation time of the new key caused by the interaction of messages between the OLT and the ONU, realizing seamless switching of Port-ID encryption and decryption enabling, and ensuring that the upstream data flow is not lost.

It is worth mentioning that the embodiment of the present application provides a method for implementing FTTR (Fiber to the Rome) encryption. For GPON asymmetry and GPON symmetry in the FTTR scenario, it is possible to add upstream encryption and inter-packet gap (IPG) configuration rules. For various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes), upstream and downstream encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies are added; a hybrid encryption strategy is proposed for different ONUs under the same PON port of the OLT.

The present application proposes a service encryption method, electronic device and storage medium of a passive optical network system. In the service encryption method of the passive optical network system, the technical solution of the embodiment of the present application is to receive encryption enabling information sent by an optical line terminal OLT, wherein the encryption enabling information is used to indicate that encryption is not enabled, only uplink encryption is enabled, only downlink encryption is enabled or uplink and downlink encryption is enabled. After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the OLT and the ONU is dynamically switched through the OMCI entity ONU2-G, and according to the encryption algorithm after the dynamic switching, the key is synchronized with the OLT, and then after the key synchronization, the target value or Key Index of the superframe counter sent by the OLT is received, and according to the target value or Key Index of the superframe counter, it is determined to use a new key or a new encryption algorithm starting from a specified frame to complete the encryption and decryption of the uplink service message, so that in FTTR (Fiber To The The GPON asymmetric and GPON symmetric in the FTTR (Fiber to the Room) scenario increase uplink encryption, so that various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) can support uplink and downlink encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies, effectively realizing the PON system to support multiple encryption algorithms and the dynamic switching of algorithms.

In a possible implementation manner, the step S700, the step of performing key synchronization with the OLT according to the dynamically switched encryption algorithm, includes:

Step S710, instructing the ONU to generate a new key through the OLT according to the encryption algorithm after the dynamic switch;

In this embodiment, the ONU may receive a key request message Request_Key message sent by the OLT, and trigger the ONU to generate a new key according to the Request_Key message.

Specifically, according to the algorithm type corresponding to the encryption algorithm after dynamic switching, the OLT instructs the ONU to generate a new key. For example, if the algorithm type corresponding to the encryption algorithm after dynamic switching is SM4, the new key generated by the ONU is a new key generated based on the SM4 algorithm.

Step S720, reporting the new key to the ONU to trigger the OLT to specify a key switching time at which the new key takes effect;

In this embodiment, the ONU may receive a key switching time message Key_Switching_Time sent by the OLT, and obtain the key switching time according to the Key_Switching_Time message.

Step S730, receiving the key switching time returned by the OLT in response to the new key, and feeding back a response of receiving the key switching time to the OLT, so as to trigger the OLT to set the new key to the register of the currently used key at the key switching time.

In this embodiment, specifically, the OLT and the ONU may interact using messages in the ITU-T G.984.3 standard, wherein the OLT instructs the ONU to generate a new key by sending a key request message Request_Key message, and notifies the ONU of the key switching time by sending a key switching time message Key_Switching_Time message. After the key is synchronized, the ONU may be notified to turn on the decryption function of the GEM-PORT by sending a GEM-PORT encryption message Encrypted_Port_ID message. The ONU reports the new key to the OLT by sending a key request response message Encryption_Key message, and notifies the OLT that the key switching time has been received by sending an Acknowledge message.

This embodiment instructs the ONU to generate a new key through the OLT according to the encryption algorithm after dynamic switching, reports the new key to the ONU, so as to trigger the OLT to specify a key switching time at which the new key takes effect, receives the key switching time returned by the OLT in response to the new key, and feeds back a response to the key switching time to the OLT, so as to trigger the OLT to set the new key to the register of the currently used key at the key switching time, thereby ensuring that the key switching time on the ONU and OLT sides is synchronized. If it is not synchronized, the OLT will not receive the data sent by the ONU.

In a possible implementation, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a target value of a superframe counter sent by the OLT is received through a PLOAM message, wherein the step of receiving the target value of the superframe counter sent by the OLT includes:

Step D10, receiving the Encrypted_Port_ID message sent by the OLT;

Step D20: Determine a target value of a superframe counter according to the Encrypted_Port_ID message.

In this embodiment, after the key synchronization, the OLT may enable the encryption function of the GPON encapsulation method channel (GEM-PORT), and notify the ONU to enable the decryption function of the GEM-PORT by sending a GEM-PORT encryption message Encrypted_Port_ID message.

This embodiment receives the Encrypted_Port_ID message sent by the OLT, and determines the target value of the superframe counter according to the Encrypted_Port_ID message, so that the embodiment of the present application can avoid the problem of information frame asynchronization caused by the use of new keys or new encryption algorithms due to the interaction of messages between the OLT and the ONU by carrying the superframe counter value through the Encrypted_Port_ID message, realize seamless switching of Port-ID encryption and decryption, ensure that the upstream data flow is not lost, and fully ensure the reliability of data interaction between the OLT and the ONU.

In order to help understand the technical principles or technical concepts of the embodiments of the present application, a specific embodiment 2 is listed, including:

(1) Encrypt the plaintext at the sending end to obtain the ciphertext

At the sending end, the 128-bit input of the encryption algorithm is derived from the 46-bit synchronization counter value for each data block in the following manner: 46 bits are copied three times to become a 138-bit sequence, and the high-order 10 bits are discarded. The remaining 128 bits are encrypted according to the encryption algorithm (including but not limited to AES-128, AES-256, Camellia-128, Camellia-256, and SM4) to generate a 128-bit random password, which is then XORed with the payload data.

For downstream transmission, the sending end is the OLT and the receiving end is the ONU. The OLT encrypts the plaintext to obtain the ciphertext and sends the ciphertext to the ONU. For upstream transmission, the sending end is the ONU and the receiving end is the OLT. The ONU encrypts the plaintext to obtain the ciphertext and sends the ciphertext to the OLT.

(2) Decrypt the ciphertext at the receiving end to obtain the plaintext

Since the counter values and keys of the OLT and ONU are synchronized, the plain text can be decrypted by performing an XOR operation on the received ciphertext and the same 128-bit random password at the receiving end.

(3) Two other encryption enabling solutions for GPON asymmetric and GPON symmetric

GPON asymmetric and GPON symmetric encryption is enabled by modifying the PTI field in the Encrypted_Port-ID message or the GEM frame.

The GPON asymmetric and GPON symmetric downstream PLOAM message Encrypted_Port-ID message is used to indicate the downstream encryption enable time or the upstream and downstream encryption enable time. The unused 4 bytes from the 6th to the 12th bytes in the Encrypted_Port-ID message are used to indicate the SFC value of the first frame in which the new key takes effect after the key exchange. As shown in the following table, the 6th to 9th bytes are used to indicate the SFC value of the first frame in which the new key takes effect after the key exchange. The 6 least significant bits of the 6th byte are the 6 most significant bits of the SFC value of the first frame in which the key exchange takes effect. The 9th byte is the 8 least significant bits of the SFC value of the first frame in which the key exchange takes effect. The 7th and 8th bytes are the middle bits. As shown in the following table:

In this embodiment, the value of the second bit of the PTI field in the GEM frame is used to indicate whether encryption is enabled. The value of the second bit of the PTI field is 1, indicating that encryption is enabled, and the value of the second bit of the PTI field is 0, indicating that encryption is not enabled. As shown in the following table:

PTI Encoding meaning 000 User data segment, not the frame tail, is not encrypted 001 User data segment, which is the end of the frame and is not encrypted 010 User data segment, not frame tail, encrypted 011 The user data segment is the frame tail and is encrypted 100 GEM OAM, not frame tail, not encrypted 101 GEM OAM, frame tail, not encrypted 110 GEM OAM, not frame tail, encryption 111 GEM OAM, frame tail, encryption

In this embodiment, whether encryption is enabled in the current transmission direction can be determined according to the value of the PTI field in the uplink and downlink GEM frames.

It should be noted that the many details described in the second specific embodiment are only helpful for understanding the technical principles or technical concepts of the present application, and do not constitute a limitation of the present application. More simple transformations based on the technical concepts of the present application should all be within the scope of protection of the present application.

In order to further help understand the technical principles or technical concepts of the embodiments of the present application, a specific embodiment 3 is listed, including:

This embodiment provides a method for implementing FTTR (Fiber To The Room) encryption, the method comprising:

1. GPON asymmetric and GPON symmetric increase the configuration rules of upstream encryption and frame interval, obtain the IFC value of the GEM frame in the upstream GTC burst, and obtain the IFC value of the corresponding GEM frame according to the value of the intra-frame counter (IFC) of the synchronization counter. When the synchronization counter IFC=N, the position of the first byte of the GEM frame header is marked. The synchronization counter value at this byte position is used as the value of the cipher block counter of the GTC upstream burst. For the next cipher block in the GTC upstream burst, the counter is incremented by 1 for each block. This method ensures that the same value of the counter will not be reused.

2. Enable uplink and downlink encryption.

3. Switch the encryption algorithm according to the OMCI entity ONU2-G.

4. Hybrid encryption of different ONUs under the same PON port.

5. After the encryption algorithm is switched, the OLT and ONU exchange and update keys based on the new encryption algorithm. After the encryption algorithm is switched, the key update SFC is used as the benchmark to take effect. After the encryption algorithm is switched, the change in Key Index can be used as the benchmark to take effect.

6. Encrypt the plaintext at the sending end to obtain the ciphertext.

7. Decrypt the ciphertext at the receiving end to obtain the plaintext.

8. The PTI field in the GPON asymmetric and GPON symmetric Encrypted_Port-ID message and GEM frame is modified.

It should be noted that the many details described in the third specific embodiment are only helpful for understanding the technical principles or technical concepts of the present application, and do not constitute a limitation of the present application. More simple transformations based on the technical concepts of the present application should all be within the scope of protection of the present application.

In addition, an embodiment of the present application further provides a service encryption method for a passive optical network system, wherein the service encryption method is applied to a FTTR main device MFU (Main FTTR Unit), and comprises:

Sending encryption enable information to the FTTR slave device SFU (Sub FTTR Unit), wherein the encryption enable information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G;

Perform key synchronization with the SFU according to the encryption algorithm after the dynamic switch;

After key synchronization, it is determined to use a new key or a new encryption algorithm starting from a specified frame according to the target value of the superframe counter or the Key Index, and the target value of the superframe counter or the Key Index is sent to the SFU.

The present application proposes a service encryption method, electronic device and storage medium of a passive optical network system. In the service encryption method of the passive optical network system, the technical solution of the embodiment of the present application is to send encryption enabling information to the FTTR slave device SFU, wherein the encryption enabling information is used to indicate that encryption is not enabled, only uplink encryption is enabled, only downlink encryption is enabled or uplink and downlink encryption is enabled. Then, after enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G of the OMCI device. According to the encryption algorithm after the dynamic switching, key synchronization is performed with the SFU. After key synchronization, according to the target value or Key Index of the superframe counter, it is determined to use a new key or a new encryption algorithm from the specified frame, and the target value or Key Index of the superframe counter is sent to the SFU to notify the SFU to use the new key or the new encryption algorithm from the specified frame to encrypt and decrypt the uplink service message, so that in the FTTR (Fiber To The The GPON asymmetric and GPON symmetric in the FTTR (Fiber to the Room) scenario increase uplink encryption, so that various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) can support uplink and downlink encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies, effectively realizing the PON system to support multiple encryption algorithms and the dynamic switching of algorithms.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a new key or a new encryption algorithm is used starting from a specified frame according to a target value of a superframe counter;

In the case where the passive optical network system is an XGPON or XGSPON system, a new key or a new encryption algorithm is used starting from a specified frame according to a change in the Key Index.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in the upstream direction, the burst of the GTC framing sublayer is divided into a plurality of data blocks of 4 bytes, and each of the data blocks is sequentially numbered from S to (S+X);

Wherein, S=|_targetStartTime/m_|, targetStartTime is the StartTime of the first allocation of the DLL framing sublayer burst, StartTime is used to indicate the start time of the bandwidth allocation time slot, X is the number of data blocks minus one (i.e., X is the number of data blocks in the GTC uplink burst minus one),

m is a preset value for the uplink data transmission rate, where for 1.25G uplink, m=4, and for 2.5G uplink, m=2;

The superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

In some embodiments, the step of synchronizing the key with the SFU according to the dynamically switched encryption algorithm includes:

Instructing the SFU to generate a new key according to the encryption algorithm after the dynamic switch;

After receiving the new key reported by the SFU, specify a key switching time at which the new key becomes effective, and notify the SFU of the key switching time;

After receiving the response of receiving the key switching time fed back by the SFU, the new key is set to the register of the currently used key at the key switching time.

In some embodiments, the method further comprises:

Instruct the SFU to generate a new key by sending a key request message Request_Key message;

The key switching time is notified to the SFU by sending a key switching time message Key_Switching_Time message.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, the target value of the superframe counter is sent to the SFU through a PLOAM message, wherein the step of sending the target value of the superframe counter to the SFU includes:

An Encrypted_Port_ID message is sent to the SFU, wherein the Encrypted_Port_ID message carries a target value of the superframe counter.

In some embodiments, the encryption enabling information carries an encryption enabling flag in the following manners, including:

The encryption enable flag is carried by the designated bit of the PTI field in the encryption enable information, wherein the designated bit value is the first designated value indicating that encryption is not enabled, the designated bit value is the second designated value indicating that only uplink encryption is enabled, the designated bit value is the third designated value indicating that only downlink encryption is enabled, and the designated bit value is the fourth designated value indicating that uplink and downlink encryption are enabled.

In some embodiments, the MFU and all the SFUs use the synchronized superframe counter, the superframe counter includes an intra-frame counter and an inter-frame counter, the width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. For the uplink encryption, the intra-frame counter is set to 0 at the beginning of the uplink frame and increments every 4 bytes. The inter-frame counter is included in the GTC Header field of the downlink GTC frame, and the GTC Header field specifies the uplink GTC burst for transmitting the uplink GEM frame.

The service encryption method of the passive optical network system provided in the embodiment of the present invention adopts the same or similar technical features of the above-mentioned embodiment, and can realize the PON system to support multiple encryption algorithms and the requirements of dynamic switching of each algorithm. Compared with the prior art, the beneficial effects of the service encryption method of the passive optical network system provided in the embodiment of the present invention are the same as the beneficial effects of the service encryption method of the passive optical network system provided in the above-mentioned embodiment, and the other technical features in the service encryption method of the passive optical network system are the same as the features disclosed in the method one of the above-mentioned embodiment, which will not be repeated here.

In addition, an embodiment of the present application further provides a service encryption method for a passive optical network system, the service encryption method being applied to an FTTR slave device SFU, comprising:

Receive encryption enabling information sent by the FTTR master device MFU, wherein the encryption enabling information is used to indicate whether encryption is currently not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled;

After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G;

Perform key synchronization with the MFU according to the dynamically switched encryption algorithm;

After key synchronization, the target value of the superframe counter or the Key Index sent by the MFU is received, and according to the target value of the superframe counter or the Key Index, it is determined to use a new key or a new encryption algorithm starting from a specified frame.

The present application proposes a service encryption method, electronic device and storage medium of a passive optical network system. In the service encryption method of the passive optical network system, the technical solution of the embodiment of the present application is to receive encryption enabling information sent by an FTTR main device MFU, wherein the encryption enabling information is used to indicate that encryption is not enabled, only uplink encryption is enabled, only downlink encryption is enabled, or uplink and downlink encryption is enabled. After enabling uplink and downlink encryption or enabling uplink encryption, the encryption algorithm currently negotiated and adopted by the MFU and the SFU is dynamically switched through the OMCI entity ONU2-G, and according to the encryption algorithm after the dynamic switching, the key is synchronized with the MFU, and then after the key synchronization, the target value or Key Index of the superframe counter sent by the MFU is received, and according to the target value or Key Index of the superframe counter, it is determined to use a new key or a new encryption algorithm starting from a specified frame to encrypt and decrypt the uplink service message, so that in FTTR (Fiber To The The GPON asymmetric and GPON symmetric in the FTTR (Fiber to the Room) scenario increase uplink encryption, so that various PON modes in the FTTR scenario (including but not limited to GPON asymmetric, GPON symmetric, XGPON asymmetric, XGPON symmetric and other PON modes) can support uplink and downlink encryption enabling strategies, SM4 encryption algorithms and encryption algorithm dynamic switching strategies, effectively realizing the PON system to support multiple encryption algorithms and the dynamic switching of algorithms.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a new key or a new encryption algorithm is used starting from a specified frame according to a target value of a superframe counter;

In the case where the passive optical network system is an XGPON or XGSPON system, a new key or a new encryption algorithm is used starting from a specified frame according to a change in the Key Index.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in the upstream direction, the burst of the GTC framing sublayer is divided into a plurality of data blocks of 4 bytes, and each of the data blocks is sequentially numbered from S to (S+X);

Wherein, S=|_targetStartTime/m_|, targetStartTime is the StartTime of the first allocation of the DLL framing sublayer burst, StartTime is used to indicate the start time of the bandwidth allocation time slot, X is the number of data blocks minus one (i.e., X is the number of data blocks in the GTC uplink burst minus one),

m is a preset value for the uplink data transmission rate, where for 1.25G uplink, m=4, and for 2.5G uplink, m=2;

The superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

In some embodiments, the method further comprises:

Receive a key request message Request_Key message sent by the MFU, and trigger the SFU to generate a new key according to the Request_Key message;

Receive a key switching time message Key_Switching_Time message sent by the MFU, and obtain the key switching time according to the Key_Switching_Time message.

In some embodiments, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a target value of a superframe counter sent by the MFU is received through a PLOAM message, wherein the step of receiving the target value of the superframe counter sent by the MFU includes:

Receive the Encrypted_Port_ID message sent by the MFU;

A target value of a superframe counter is determined according to the Encrypted_Port_ID message.

In some embodiments, the encryption enabling information carries an encryption enabling flag in the following manners, including:

The encryption enable flag is carried by the designated bit of the PTI field in the encryption enable information, wherein the designated bit value is the first designated value indicating that encryption is not enabled, the designated bit value is the second designated value indicating that only uplink encryption is enabled, the designated bit value is the third designated value indicating that only downlink encryption is enabled, and the designated bit value is the fourth designated value indicating that uplink and downlink encryption are enabled.

In some embodiments, the MFU and all the SFUs use the synchronized superframe counter, the superframe counter includes an intra-frame counter and an inter-frame counter, the width of the superframe counter is 46 bits, of which the lower 16 bits are the intra-frame counter and the upper 30 bits are the inter-frame counter. For the uplink encryption, the intra-frame counter is set to 0 at the beginning of the uplink frame and increments every 4 bytes. The inter-frame counter is included in the GTC Header field of the downlink GTC frame, and the GTC Header field specifies the uplink GTC burst for transmitting the uplink GEM frame.

The service encryption method of the passive optical network system provided in the embodiment of the present invention adopts the same or similar technical features of the above-mentioned embodiment, and can realize the PON system to support multiple encryption algorithms and the requirements of dynamic switching of each algorithm. Compared with the prior art, the beneficial effects of the service encryption method of the passive optical network system provided in the embodiment of the present invention are the same as the beneficial effects of the service encryption method of the passive optical network system provided in the above-mentioned embodiment, and the other technical features in the service encryption method of the passive optical network system are the same as the features disclosed in the method one of the above-mentioned embodiment, which will not be repeated here.

FIG3 shows a block diagram of an electronic device 1800 according to an exemplary embodiment of the present application. The electronic device 1800 includes a central processing unit (CPU) 1801, a system memory 1804 including a random access memory (RAM) 1802 and a read-only memory (ROM) 1803, and a system bus 1805 connecting the system memory 1804 and the central processing unit 1801. The electronic device 1800 also includes a storage device 1806 for storing an operating system 1809, a client 1810, and other program modules 1811.

Without loss of generality, the computer-readable medium may include computer storage media and communication media. Computer storage media include volatile and non-volatile, removable and non-removable media implemented by any method or technology for storing information such as computer-readable instructions, data structures, program modules or other data. Computer storage media include RAM, ROM, Erasable Programmable Read Only Memory (EPROM), Electronically-Erasable Programmable Read-Only Memory (EEPROM) flash memory or other solid-state storage technology, CD-ROM, Digital Versatile Disc (DVD) or other optical storage, tape cassettes, tapes, disk storage or other magnetic storage devices. Of course, those skilled in the art will know that the computer storage medium is not limited to the above. The above-mentioned system memory 1804 and storage device 1806 can be collectively referred to as memory.

According to various embodiments of the present disclosure, the electronic device 1800 can also be connected to a remote computer on the network through a network such as the Internet. That is, the electronic device 1800 can be connected to the network 1808 through the network interface unit 1807 connected to the system bus 1805, or the network interface unit 1807 can be used to connect to other types of networks or remote computer systems (not shown).

The memory also includes at least one instruction, at least one program, code set or instruction set, and the at least one instruction, at least one program, code set or instruction set is stored in the memory. The central processor 1801 implements all or part of the steps in the service encryption method of the passive optical network system shown in the above-mentioned embodiments by executing the at least one instruction, at least one program, code set or instruction set.

In an exemplary embodiment, a computer-readable storage medium is also provided, in which at least one computer program is stored, and the computer program is loaded and executed by a processor to implement all or part of the steps in the service encryption method of the above-mentioned passive optical network system, or to implement all or part of the steps in the service encryption method of the above-mentioned passive optical network system. For example, the computer-readable storage medium can be a read-only memory (ROM), a random access memory (RAM), a compact disc (CD-ROM), a magnetic tape, a floppy disk, an optical data storage device, etc.

In an exemplary embodiment, a computer program product is also provided, which includes at least one computer program, which is loaded by a processor and executes all or part of the steps in the service encryption method of the above-mentioned passive optical network system shown in any of the above-mentioned embodiments, or all or part of the steps in the service encryption method of the above-mentioned passive optical network system.

Those skilled in the art will readily appreciate other embodiments of the present application after considering the specification and practicing the invention disclosed herein. The present application is intended to cover any modification, use or adaptation of the present application, which follows the general principles of the present application and includes common knowledge or customary techniques in the art that are not disclosed in the present application. The specification and examples are intended to be exemplary only, and the true scope and spirit of the present application are indicated by the claims.

It should be understood that the present application is not limited to the precise structures that have been described above and shown in the drawings, and that various modifications and changes may be made without departing from the scope thereof. The scope of the present application is limited only by the appended claims.

Claims (12)

1. A service encryption method of a passive optical network system, the service encryption method being applied to an optical line terminal OLT, comprising:

Transmitting encryption enabling information to an Optical Network Unit (ONU), wherein the encryption enabling information is used for indicating whether encryption is not started, only uplink encryption is started, only downlink encryption is started or uplink and downlink encryption is started currently;

After enabling to start up-down encryption or starting up-down encryption, dynamically switching an encryption algorithm adopted by the OLT and the ONU currently in negotiation through an OMCI entity ONU 2-G;

according to the encryption algorithm after the dynamic switching, key synchronization is carried out between the ONU and the encryption algorithm after the dynamic switching;

After the Key synchronization, determining to use a new Key or a new encryption algorithm from a designated frame according to a target value or a Key Index of a superframe counter, and transmitting the target value or the Key Index of the superframe counter to the ONU;

Wherein, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in an upstream direction, a burst of a GTC framing sub-layer is divided into a plurality of data blocks of 4 bytes, and each data block is numbered sequentially from S to (s+x);

Wherein s= |_ target StartTime/m_ |indicates that target StartTime/m_ is rounded down, target StartTime is the first allocated STARTTIME, STARTTIME of the DLL framing sublayer burst for indicating the start time of the bandwidth allocation slot, X is the number of data blocks minus one,

M is a value preset for an uplink data transmission rate, where m=4 for 1.25G uplink and m=2 for 2.5G uplink;

the superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

2. The traffic encryption method according to claim 1, wherein determining to use a new Key or a new encryption algorithm from a designated frame based on a target value of a superframe counter or Key Index, comprises:

When the passive optical network system is a GPON asymmetric system or a GPON symmetric system, a new key or a new encryption algorithm is used from a designated frame according to the target value of the superframe counter;

in the case where the passive optical network system is an XGPON or XGSPON system, a new Key or a new encryption algorithm is used from a designated frame according to a change in Key Index.

3. The traffic encryption method according to claim 1, wherein the step of performing key synchronization with the ONU according to the dynamically switched encryption algorithm includes:

According to the encryption algorithm after the dynamic switching, the ONU is instructed to generate a new key;

after receiving a new key reported by the ONU, designating key switching time when the new key starts to take effect, and notifying the ONU of the key switching time;

After receiving the response of the ONU fed back to the received key switching time, setting the new key into a register of the currently used key at the key switching time.

4. A traffic encryption method according to claim 3, characterized in that the method further comprises:

instructing the ONU to generate a new Key by sending a Key Request message, a request_Key message;

And notifying the ONU of the Key Switching Time by sending a Key Switching Time message Key_switching_Time message.

5. The traffic encryption method according to claim 4, wherein in case that the passive optical network system is a GPON asymmetric system or a GPON symmetric system, the target value of the super frame counter is transmitted to the ONU by means of a PLOAM message, wherein the step of transmitting the target value of the super frame counter to the ONU comprises:

And sending an encrypted_Port_ID message to the ONU, wherein the encrypted_Port_ID message carries the target value of the superframe counter.

6. The traffic encryption method according to any one of claims 1 to 5, wherein the encryption enabling information carries an encryption enabling identifier by:

Carrying an encryption enabling identifier by a specified bit of a PTI field in the encryption enabling information, wherein the specified bit value is a first specified value and indicates that encryption is not started, the specified bit value is a second specified value and indicates that only upstream encryption is started, the specified bit value is a third specified value and indicates that only downstream encryption is started, and the specified bit value is a fourth specified value and indicates that upstream encryption and downstream encryption are started.

7. The traffic encryption method according to claim 1, wherein said OLT and all said ONUs use said super-frame counter synchronized, said super-frame counter including an intra-frame counter and an inter-frame counter, said super-frame counter having a width of 46 bits, wherein a lower 16 bits is said intra-frame counter and an upper 30 bits is said inter-frame counter, said intra-frame counter being set to 0 at an upstream frame start for said upstream encryption, and incremented every 4 bytes, said inter-frame counter being included in a GTC HEADER field of a downstream GTC frame, said GTC HEADER field specifying an upstream GTC burst for transmitting an upstream GEM frame.

8. A service encryption method of a passive optical network system, the service encryption method being applied to an optical network unit ONU, comprising:

receiving encryption enabling information sent by an Optical Line Terminal (OLT), wherein the encryption enabling information is used for indicating whether encryption is not started, only uplink encryption is started, only downlink encryption is started or uplink and downlink encryption is started currently;

After enabling to start up-down encryption or starting up-down encryption, dynamically switching an encryption algorithm adopted by the OLT and the ONU currently in negotiation through an OMCI entity ONU 2-G;

according to the encryption algorithm after the dynamic switching, key synchronization is carried out between the encryption algorithm and the OLT;

After the Key synchronization, receiving a target value or Key Index of a superframe counter sent by the OLT, and determining to use a new Key or a new encryption algorithm from a designated frame according to the target value or Key Index of the superframe counter;

Wherein, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in an upstream direction, a burst of a GTC framing sub-layer is divided into a plurality of data blocks of 4 bytes, and each data block is numbered sequentially from S to (s+x);

Wherein s= |_ target StartTime/m_ |indicates that target StartTime/m_ is rounded down, target StartTime is the first allocated STARTTIME, STARTTIME of the DLL framing sublayer burst for indicating the start time of the bandwidth allocation slot, X is the number of data blocks minus one,

M is a value preset for an uplink data transmission rate, where m=4 for 1.25G uplink and m=2 for 2.5G uplink;

the superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

9. A traffic encryption method of a passive optical network system, the traffic encryption method being applied to FTTR main equipment MFU, comprising:

Transmitting encryption enabling information to FTTR slave equipment SFU, wherein the encryption enabling information is used for indicating whether encryption is not started, only uplink encryption is started, only downlink encryption is started or uplink and downlink encryption is started currently;

after enabling to start up and down encryption or starting up encryption, dynamically switching an encryption algorithm adopted by the MFU and the SFU in current negotiation through an OMCI entity ONU 2-G;

according to the encryption algorithm after dynamic switching, key synchronization is carried out between the SFU and the encryption algorithm after dynamic switching;

After the Key synchronization, determining to use a new Key or a new encryption algorithm from a designated frame according to a target value or a Key Index of a superframe counter, and transmitting the target value or the Key Index of the superframe counter to the SFU;

Wherein, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in an upstream direction, a burst of a GTC framing sub-layer is divided into a plurality of data blocks of 4 bytes, and each data block is numbered sequentially from S to (s+x);

Wherein s= |_ target StartTime/m_ |indicates that target StartTime/m_ is rounded down, target StartTime is the first allocated STARTTIME, STARTTIME of the DLL framing sublayer burst for indicating the start time of the bandwidth allocation slot, X is the number of data blocks minus one,

M is a value preset for an uplink data transmission rate, where m=4 for 1.25G uplink and m=2 for 2.5G uplink;

the superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

10. A service encryption method of a passive optical network system, the service encryption method being applied to FTTR slave devices SFU, comprising:

receiving FTTR encryption enabling information sent by a main device MFU, wherein the encryption enabling information is used for indicating that encryption is not started, only uplink encryption is started, only downlink encryption is started or uplink and downlink encryption is started currently;

after enabling to start up and down encryption or starting up encryption, dynamically switching an encryption algorithm adopted by the MFU and the SFU in current negotiation through an OMCI entity ONU 2-G;

According to the encryption algorithm after dynamic switching, key synchronization is carried out between the MFU and the MFU;

After the Key synchronization, receiving a target value or Key Index of a superframe counter sent by the MFU, and determining to use a new Key or a new encryption algorithm from a designated frame according to the target value or Key Index of the superframe counter;

Wherein, when the passive optical network system is a GPON asymmetric system or a GPON symmetric system, in an upstream direction, a burst of a GTC framing sub-layer is divided into a plurality of data blocks of 4 bytes, and each data block is numbered sequentially from S to (s+x);

Wherein s= |_ target StartTime/m_ |indicates that target StartTime/m_ is rounded down, target StartTime is the first allocated STARTTIME, STARTTIME of the DLL framing sublayer burst for indicating the start time of the bandwidth allocation slot, X is the number of data blocks minus one,

M is a value preset for an uplink data transmission rate, where m=4 for 1.25G uplink and m=2 for 2.5G uplink;

the superframe counter includes an intra-frame counter and an inter-frame counter, wherein the value of the intra-frame counter includes all FEC check bytes.

11. An electronic device, comprising: memory, a processor and a traffic encryption program of a passive optical network system stored on the memory and operable on the processor, which when executed by the processor, implements the traffic encryption method of a passive optical network system according to any one of claims 1 to 10.

12. A storage medium, characterized in that the storage medium is a computer-readable storage medium, on which a traffic encryption program of a passive optical network system is stored, which, when executed by a processor, implements the traffic encryption method of a passive optical network system according to any one of claims 1 to 10.