Search

US-12621174-B2 - Data security for networks combining encryption with error correction

US12621174B2US 12621174 B2US12621174 B2US 12621174B2US-12621174-B2

Abstract

In one example embodiment, data is received at a node of a network. The data includes encrypted data segments containing data portions and error correction information. The encrypted data segments are decrypted to produce the data portions and the error correction information. Error correction is performed on the data portions using the error correction information. Corrupt data is determined based on the error correction indicating uncorrectable data.

Inventors

  • Scott Roy Fluhrer
  • Gilberto Loprieno

Assignees

  • CISCO TECHNOLOGY, INC.

Dates

Publication Date
20260505
Application Date
20230823

Claims (20)

  1. 1 . A method comprising: receiving data of a frame at a node of a network, wherein the data includes encrypted codewords generated by encrypting codewords including encoded data segments, wherein the encoded data segments include plaintext symbols representing data portions and error correction information, wherein each plaintext symbol of the encoded data segments is associated with a different portion of unpredictable sequences of values and independently encrypted within the encrypted codewords by corresponding values from the different portion to map each plaintext symbol to a corresponding unpredictable ciphertext symbol, and wherein the unpredictable sequences of values are produced from different portions of an encrypted value; generating the unpredictable sequences of values used to encrypt the codewords; decrypting the encrypted codewords of the frame using the unpredictable sequences of values to produce the encoded data segments containing the data portions and the error correction information; performing authentication and error correction simultaneously on the data portions using the error correction information; and determining corrupt data based on the error correction indicating uncorrectable data.
  2. 2 . The method of claim 1 , wherein the network includes an optical transport network (OTN) and the frame includes an OTN frame.
  3. 3 . The method of claim 1 , wherein the data includes Ethernet traffic.
  4. 4 . The method of claim 1 , wherein the encrypted codewords include Reed-Solomon codes.
  5. 5 . The method of claim 1 , wherein the encrypted value is produced based on an advanced encryption standard (AES).
  6. 6 . The method of claim 1 , further comprising: synchronizing the unpredictable sequences of values with a transmitting node of the network.
  7. 7 . The method of claim 6 , wherein decrypting the encrypted codewords comprises: decrypting the encrypted codewords based on the unpredictable sequences of values synchronized with the transmitting node.
  8. 8 . An apparatus comprising: a network computing device of a network comprising a memory for storing program instructions and one or more processors configured to execute the program instructions and perform operations including: receiving data of a frame including encrypted codewords generated by encrypting codewords including encoded data segments, wherein the encoded data segments include plaintext symbols representing data portions and error correction information, wherein each plaintext symbol of the encoded data segments is associated with a different portion of unpredictable sequences of values and independently individually encrypted within the encrypted codewords by corresponding values from the different portion to map each plaintext symbol to a corresponding unpredictable ciphertext symbol, and wherein the unpredictable sequences of values are produced from different portions of an encrypted value; generating the unpredictable sequences of values used to encrypt the codewords; decrypting the encrypted codewords of the frame using the unpredictable sequences of values to produce the encoded data segments containing the data portions and the error correction information; performing authentication and error correction simultaneously on the data portions using the error correction information; and determining corrupt data based on the error correction indicating uncorrectable data.
  9. 9 . The apparatus of claim 8 , wherein the network includes an optical transport network (OTN) and the frame includes an OTN frame.
  10. 10 . The apparatus of claim 8 , wherein the data includes Ethernet traffic.
  11. 11 . The apparatus of claim 8 , wherein the encrypted codewords include Reed-Solomon codes.
  12. 12 . The apparatus of claim 8 , wherein the encrypted value is produced based on an advanced encryption standard (AES).
  13. 13 . The apparatus of claim 8 , wherein the one or more processors are configured to perform further operations including: synchronizing the unpredictable sequences of values with a transmitting node of the network, and wherein decrypting the encrypted codewords comprises decrypting the encrypted codewords based on the unpredictable sequences of values synchronized with the transmitting node.
  14. 14 . One or more non-transitory computer readable storage media encoded with processing instructions that, when executed by one or more processors, cause the one or more processors to perform operations including: receiving data of a frame at a node of a network, wherein the data includes encrypted codewords generated by encrypting codewords including encoded data segments, wherein the encoded data segments include plaintext symbols representing data portions and error correction information, wherein each plaintext symbol of the encoded data segments is associated with a different portion of unpredictable sequences of values and independently encrypted within the encrypted codewords by corresponding values from the different portion to map each plaintext symbol to a corresponding unpredictable ciphertext symbol, and wherein the unpredictable sequences of values are produced from different portions of an encrypted value; generating the unpredictable sequences of values used to encrypt the codewords; decrypting the encrypted codewords of the frame using the unpredictable sequences of values to produce the encoded data segments containing the data portions and the error correction information; performing authentication and error correction simultaneously on the data portions using the error correction information; and determining corrupt data based on the error correction indicating uncorrectable data.
  15. 15 . The one or more non-transitory computer readable storage media of claim 14 , wherein the network includes an optical transport network (OTN) and the frame includes an OTN frame.
  16. 16 . The one or more non-transitory computer readable storage media of claim 14 , wherein the data includes Ethernet traffic.
  17. 17 . The one or more non-transitory computer readable storage media of claim 14 , wherein the encrypted codewords include Reed-Solomon codes.
  18. 18 . The one or more non-transitory computer readable storage media of claim 14 , wherein the encrypted value is produced based on an advanced encryption standard (AES).
  19. 19 . The one or more non-transitory computer readable storage media of claim 14 , wherein the processing instructions cause the one or more processors to perform further operations including: synchronizing the unpredictable sequences of values with a transmitting node of the network.
  20. 20 . The one or more non-transitory computer readable storage media of claim 19 , wherein decrypting the encrypted codewords comprises: decrypting the encrypted codewords based on the unpredictable sequences of values synchronized with the transmitting node.

Description

TECHNICAL FIELD The present disclosure relates to secure data communications. BACKGROUND Optical transport network (OTN) frames are encrypted over the network. When a frame has been tampered with, the frame is to be rejected. This can be difficult since detecting tampering resides very late in frame processing logic. In addition, buffering may be required until the frame has been vetted which is costly. BRIEF DESCRIPTION OF THE DRAWINGS FIG. 1 is a block diagram of an example network environment, according to an example embodiment. FIG. 2 is a block diagram of network nodes of the network environment of FIG. 1 transferring data, according to an example embodiment. FIG. 3 is a flowchart of a method for encoding and encrypting data, according to an example embodiment. FIG. 4 is a block diagram of a network node of the network environment of FIG. 1 encoding and encrypting data, according to an example embodiment. FIG. 5 is a flowchart of a method for decrypting and decoding data, according to an example embodiment. FIG. 6 is a block diagram of a network node of the network environment of FIG. 1 decrypting data, according to an example embodiment. FIG. 7A is an illustration of an example frame structure, according to an example embodiment. FIG. 7B is an illustration of an example block structure for overhead data, according to an example embodiment. FIG. 8 is a flowchart of a generalized method for combined encryption and error correction, according to an example embodiment. FIG. 9 illustrates a hardware block diagram of a computing device configured to perform functions associated with combined encryption and error correction as discussed herein, according to an example embodiment. DETAILED DESCRIPTION Overview In one example embodiment, data is received at a node of a network. The data includes encrypted data segments containing data portions and error correction information. The encrypted data segments are decrypted to produce the data portions and the error correction information. Error correction is performed on the data portions using the error correction information. Corrupt data is determined based on the error correction indicating uncorrectable data. Example Embodiments Random errors on a physical medium are detected and corrected by forward error correction (FEC). If accidental errors (e.g., caused by some line noise, etc.) change some bits, FEC is able to correct them and prevent the effect of the accidental errors. However, FEC is not a secure algorithm. Since FEC is typically performed by a well known algorithm, a malicious entity can generate a new frame with a new FEC redundancy, and there is no way to detect corrupt FEC data. Further, FEC is a linear code, and a frame may be modified in a way that a modified pattern retains the prior FEC redundancy (e.g., 1234567890 may have an FEC of ABCD, but 1543567890 also has an FEC of ABCD, etc.). By way of example, optical transport network (OTN) frames are transmitted with a forward error correcting (FEC) field. This field allows a receiver to reconstruct the frame even if several errors are introduced. The receiver uses a Reed-Solomon error correcting code (e.g., RS(544, 514) with 10-bit symbols). A Reed-Solomon code may be expressed as RS(n,k), where k represents a number of symbols (of a specified bit length) in order to generate 2t error correction symbols. In other words, an encoder processes data of k symbols or segments (data portions of a specified bit length) and adds 2t error correction symbols or segments to produce an n symbol codeword. The error correction symbols may be appended to the data to form a codeword with a total length n, where 2t=n−k. A Reed-Solomon decoder corrects up to t erroneous symbols of a codeword. In this case, the Reed-Solomon code, on reception, enables the receiver to recover the original frame (if corruption affected no more than fifteen 10-bit symbols), or (with good probability) replace the entire frame with a fixed error pattern if more than fifteen 10-bit symbols were randomly corrupted. However, this approach does not protect against intentional attacks. Since the Reed-Solomon algorithm is public, a malicious entity (e.g., individual, software, device, etc.) that makes a change can also compute the forward error correcting (FEC) field and replace the original FEC field contents. In addition, tampered frames are to be rejected. This can be difficult since detecting tampering resides very late in frame processing logic, and may require buffering a frame until the frame has been vetted which is costly. An example embodiment leverages benefits from forward error correction (FEC) since FEC is able to correct random errors (noise or bit changes), replace uncorrected codeword data with an error message, and store a codeword in a small first-in-first-out (FIFO) buffer. The example embodiment encrypts data so it is not possible to replace frames/packets with data inserted by a malicious entity. Further, data is processe