FlexE-based data encryption transmission method and system, storage medium and electronic device

By generating key digests and symmetric encryption keys to encrypt overhead frames and randomizing time slot allocation within FlexE groups, the problems of complex key generation and easy leakage of time slot configuration in existing FlexE technologies are solved, thereby improving transmission security and efficiency.

CN116781368BActive Publication Date: 2026-06-09CHINA TELECOM CORP LTD

Patent Information

Authority / Receiving Office
CN · China
Patent Type
Patents(China)
Current Assignee / Owner
CHINA TELECOM CORP LTD
Filing Date
2023-07-03
Publication Date
2026-06-09

AI Technical Summary

Technical Problem

The existing FlexE technology requires multiple rounds of iterative modulation and demodulation during key generation, which consumes a lot of forwarding resources. At the same time, the time slot configuration table lacks protection measures during transmission, making it vulnerable to being leaked by attackers, which affects transmission security and bandwidth efficiency.

Method used

By generating key digests and symmetric encryption keys, encrypting overhead frames based on the target time slot configuration table, and randomizing time slot allocation within the FlexE group, the secure transmission of service data sets is ensured while reducing resource consumption.

Benefits of technology

This approach achieves improved user experience and transmission efficiency by reducing the consumption of forwarding resources and network computing resources while ensuring transmission security.

✦ Generated by Eureka AI based on patent content.

Smart Images

  • Figure CN116781368B_ABST
    Figure CN116781368B_ABST
Patent Text Reader

Abstract

This application discloses a data encryption transmission method, system, storage medium, and electronic device based on FlexE. It includes: determining a network slice identifier to be sent to a terminal, and determining the service data frame and overhead frame corresponding to the network slice identifier; determining the target time slot configuration table of the FlexE group to which the terminal belongs, and determining the first bandwidth values ​​of multiple time slots corresponding to each physical port within the FlexE group based on the target time slot configuration table; generating a key digest and a symmetric encryption key based on the first bandwidth values ​​of the multiple time slots, and encrypting the target overhead code block storing the target time slot configuration table in the overhead frame based on the symmetric encryption key; composing an encrypted ciphertext from the encrypted target overhead block, the i-th group of service data transmitted according to the target time slot configuration table, and the key digest, and transmitting the encrypted ciphertext to the terminal. This application solves the technical problem of related technologies requiring multiple rounds of iterative modulation and demodulation when generating keys, which consumes a large amount of forwarding resources.
Need to check novelty before this filing date? Find Prior Art

Description

Technical Field

[0001] This application relates to the field of network security technology, and more specifically, to a data encryption transmission method, system, storage medium, and electronic device based on FlexE. Background Technology

[0002] Flexible Ethernet (Flex Eth or FlexE) is a more advanced Ethernet technology developed based on traditional Ethernet. FlexE primarily provides three functions: bonding, channelization, and sub-rate. Bonding refers to grouping multiple physical ports into a FlexE group, allowing multiple PHYs within the same FlexE group to transmit service flows together, thus supporting higher speeds. Furthermore, existing FlexE network slicing technology can randomize the transmission path of network slice identifier data blocks through a single time slot allocation mechanism, ensuring the effectiveness of the security isolation mechanism between bearer network slices.

[0003] However, the current time slot configuration table is switched only when users have bandwidth adjustment needs; otherwise, the time slot allocation mechanism is relatively fixed, thus limiting its randomness. Furthermore, the third overhead block containing the time slot configuration lacks protection during transmission at the FlexE Shim layer. If intercepted by an attacker, it can leak the transmission path, rendering the secure transmission mechanism of the service data block and overhead block ineffective. Even if the overhead block and service data block are fully encrypted together, it still incurs additional bandwidth adjustments and encryption / decryption overhead during transmission. Finally, the key generation method used in existing FlexE technology requires N rounds of iterative modulation and demodulation at both ends of the FlexE Shim layer, consuming significant forwarding resources and network computing power.

[0004] There is currently no effective solution to the above problems. Summary of the Invention

[0005] This application provides a data encryption transmission method, system, storage medium, and electronic device based on FlexE, to at least solve the technical problem that related technologies require multiple rounds of iterative modulation and demodulation when generating keys, which consumes a large amount of forwarding resources.

[0006] According to one aspect of the embodiments of this application, a data encryption transmission method based on FlexE is provided, comprising: determining a network slice identifier to be sent to a terminal, and determining a service data frame and an overhead frame corresponding to the network slice identifier, wherein the service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks, and the overhead frame includes multiple overhead code blocks; determining a target time slot configuration table of the FlexE group to which the terminal belongs, and determining a first bandwidth value of multiple time slot ports corresponding to each physical port in the FlexE group based on the target time slot configuration table; generating a key digest and a symmetric encryption key based on the first bandwidth value of the multiple time slot ports, and encrypting the target overhead code block storing the target time slot configuration table in the overhead frame based on the symmetric encryption key; composing an encrypted ciphertext from the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmitting the encrypted ciphertext to the terminal, wherein the terminal is used to decrypt the encrypted target overhead block according to the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and to recover the service data set according to the target time slot configuration table, where i is a positive integer greater than or equal to 1.

[0007] Optionally, determining the network slice identifier to be sent to the terminal, and determining the service data frame and overhead frame corresponding to the network slice identifier, includes: in response to the terminal's network service request, establishing a network connection based on the terminal's terminal identifier, and allocating a network slice identifier to the terminal based on the network connection, wherein the network slice identifier is used to segment network data frames, and the network data frames include: service data frames and overhead frames; reconstructing the network slice identifier into service data frames, and determining the overhead frame corresponding to the service data frames.

[0008] Optionally, generating a key digest and a symmetric encryption key based on the first bandwidth values ​​of multiple time slots includes: determining a target value based on the first bandwidth values ​​of multiple time slots, wherein the target value includes: the average, mode, median, or a first value composed of the standard deviation and the expected value of the bandwidth values ​​corresponding to the multiple time slots; determining a first value and a second value based on the target value, wherein the first value is any bandwidth value among the bandwidth values ​​corresponding to the multiple time slots that is greater than the target value, and the second value is any bandwidth value among the bandwidth values ​​corresponding to the multiple time slots that is not greater than the target value; and forming a key digest from the first time slot number corresponding to the first value, the target value, and the terminal identifier, and forming a symmetric encryption key from the second time slot number corresponding to the second value, the target value, and the terminal identifier.

[0009] Optionally, determining the first value and the second value based on the target value includes: determining the target value and a preset skewness standard to determine the first value and the second value, wherein, when the skewness standard is less than 0 or greater than 0, the bandwidth value greater than the target value among the bandwidth values ​​corresponding to multiple time slots is taken as the first value, and the other bandwidth values ​​besides the first value among the bandwidth values ​​corresponding to multiple time slots are taken as the second value; when the skewness standard is equal to 0, a second target value is determined, and when the bandwidth values ​​corresponding to multiple time slots are greater than multiple second target values, the first value and the second value are determined based on the larger second target value, wherein the second target value includes at least one of the following: the difference between the expected value and the standard deviation, the expected value, and the sum of the expected value and the standard deviation.

[0010] Optionally, the Calendar A codeword and Calendar B codeword of the target overhead code block of each overhead frame store the first time slot configuration table and the second time slot configuration table, respectively. The first time slot configuration table and the second time slot configuration table are used to transmit different service data sets to the terminal. The first time slot configuration table includes a first sub-time slot table corresponding to multiple physical ports, and the second time slot configuration table includes a second sub-time slot table corresponding to multiple physical ports.

[0011] Optionally, transmitting the i-th group of service data according to the target time slot configuration table includes: when i equals 1, determining to transmit the first group of service data according to the first target time slot configuration table, wherein the first target time slot configuration table includes either a first time slot configuration table or a second time slot configuration table; when i is greater than 1, determining to transmit the i-th group of service data according to the second target time slot configuration table, wherein the second target time slot configuration table includes: reducing the priority of the first sub-time slot table corresponding to the physical port with a larger first transmission delay in the second time slot configuration table based on the first transmission delay of each physical port in the first sub-time slot table, thereby obtaining an adjusted second time slot configuration table; or, reducing the priority of the second sub-time slot table corresponding to the physical port with a larger second transmission delay in the first time slot configuration table based on the second transmission delay of each physical port in the second sub-time slot table, thereby obtaining an adjusted first time slot configuration table.

[0012] Optionally, the target time slot configuration table includes: multiple target sub-time slot tables, wherein the process of the terminal generating a symmetric decryption key based on the key digest includes: the terminal obtaining the target value according to the key digest, and receiving the service data code block in the i-th group of service data sets according to the second bandwidth value of the multiple time slots corresponding to each physical port and the target sub-time slot table to determine the third time slot number corresponding to the second bandwidth value less than or equal to the target value, and generating a symmetric decryption key from the third time slot number, the target value and the terminal identifier.

[0013] According to another aspect of the embodiments of this application, a data encryption transmission system based on FlexE is also provided, including: a core network and a terminal, wherein the core network is used to determine a network slice identifier to be sent to the terminal, and to determine a service data frame and an overhead frame corresponding to the network slice identifier, wherein the service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks, and the overhead frame includes multiple overhead code blocks; determine a target time slot configuration table of the FlexE group to which the terminal belongs, and determine a first bandwidth value of multiple time slot ports corresponding to each physical port in the FlexE group based on the target time slot configuration table; generate a key digest and a symmetric encryption key based on the first bandwidth value of the multiple time slot ports, and encrypt the target overhead code block storing the target time slot configuration table in the overhead frame based on the symmetric encryption key; encrypt the encrypted ciphertext composed of the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmit the encrypted ciphertext to the terminal, wherein i is a positive integer greater than or equal to 1; the terminal is used to decrypt the encrypted target overhead block according to the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and to recover the service data set according to the target time slot configuration table.

[0014] According to another aspect of the embodiments of this application, a non-volatile storage medium is also provided, the non-volatile storage medium including a stored program, wherein the device where the non-volatile storage medium is located executes the above-described data encryption transmission method based on FlexE by running the program.

[0015] According to another aspect of the embodiments of this application, an electronic device is also provided, the electronic device including: a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the above-described FlexE-based data encryption transmission method through the computer program.

[0016] In this embodiment, a network slice identifier is determined to be sent to the terminal, and a service data frame and an overhead frame corresponding to the network slice identifier are determined. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. A target time slot configuration table for the FlexE group to which the terminal belongs is determined, and a first bandwidth value for multiple time slots corresponding to each physical port in the FlexE group is determined based on the target time slot configuration table. A key digest and a symmetric encryption key are generated based on the first bandwidth values ​​of the multiple time slots, and the target overhead code block storing the target time slot configuration table in the overhead frame is encrypted based on the symmetric encryption key. An encrypted ciphertext is composed of the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and the encrypted ciphertext is transmitted to the terminal. The terminal is used to decrypt the encrypted target overhead block according to the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and to recover the service data set according to the target time slot configuration table. i is a positive integer greater than or equal to 1.

[0017] In the above technical solution, the core network generates a symmetric encryption key by statistically analyzing the bandwidth values ​​corresponding to multiple time slots of each physical port in the target time slot configuration table. This symmetric encryption key is then used to encrypt a specified overhead code block within the overhead frame. The randomness of the transmission channel allocation through the time slot allocation mechanism ensures secure transmission of the service data set. Compared to existing key generation technologies, this solution requires less forwarding and network computing resources, thus solving the technical problem that related technologies require multiple rounds of iterative modulation and demodulation when generating keys, which consumes a large amount of forwarding resources. Attached Figure Description

[0018] The accompanying drawings, which are included to provide a further understanding of this application and form part of this application, illustrate exemplary embodiments and are used to explain this application, but do not constitute an undue limitation of this application. In the drawings:

[0019] Figure 1 It is a flowchart of an optional key generation method based on relevant technologies;

[0020] Figure 2 This is a flowchart of an optional OTN encryption method based on relevant technologies;

[0021] Figure 3 This is a hardware structure block diagram of an optional computer terminal for implementing a FlexE-based data encryption transmission method according to an embodiment of this application;

[0022] Figure 4 This is a flowchart of an optional FlexE-based data encryption transmission method according to an embodiment of this application;

[0023] Figure 5a This is a schematic diagram of an optional time slot bandwidth distribution according to an embodiment of this application;

[0024] Figure 5b This is a schematic diagram of another optional time slot bandwidth distribution according to an embodiment of this application;

[0025] Figure 5c This is a schematic diagram of another optional time slot bandwidth distribution according to an embodiment of this application;

[0026] Figure 6 This is a flowchart of an optional time slot configuration table switching mechanism according to an embodiment of this application;

[0027] Figure 7 This is a schematic diagram of an optional FlexE-based data encryption transmission system according to an embodiment of this application;

[0028] Figure 8 This is an interactive flowchart of an optional FlexE-based data encryption transmission system according to an embodiment of this application;

[0029] Figure 9 This is a schematic diagram of an optional FlexE-based data encryption transmission device according to an embodiment of this application. Detailed Implementation

[0030] To enable those skilled in the art to better understand the present application, the technical solutions in the embodiments of the present application will be clearly and completely described below with reference to the accompanying drawings. Obviously, the described embodiments are only some embodiments of the present application, and not all embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative effort should fall within the scope of protection of the present application.

[0031] It should be noted that the terms "first," "second," etc., used in the specification, claims, and drawings of this application are used to distinguish similar objects and are not necessarily used to describe a specific order or sequence. It should be understood that such data can be interchanged where appropriate so that the embodiments of this application described herein can be implemented in orders other than those illustrated or described herein. Furthermore, the terms "comprising" and "having," and any variations thereof, are intended to cover non-exclusive inclusion; for example, a process, method, system, product, or apparatus that comprises a series of steps or units is not necessarily limited to those steps or units explicitly listed, but may include other steps or units not explicitly listed or inherent to such processes, methods, products, or apparatus.

[0032] Furthermore, all information and data (including but not limited to user device information, user personal information, etc.) involved in this application are information and data authorized by the user or fully authorized by all parties. For example, this system has an interface with the relevant user or organization. Before obtaining relevant information, it needs to send an acquisition request to the aforementioned user or organization through the interface, and obtain the relevant information after receiving consent from the aforementioned user or organization.

[0033] Example 1

[0034] Typically, the execution flow of the key generation method used in existing FlexE technology is as follows: Figure 1 As shown, this process requires N rounds of pseudo-random number QNSC modulation and demodulation between the FlexE shim layer (user side) and the FlexE shim layer (core network side). Then, the bit error rate (BER) of each round of random number transmission is used to form an N-bit symmetric encryption key ka on the core network side. Then, the roles of the core network and terminal A (Client A) are reversed, and N rounds of QNSC modulation and demodulation are repeated to generate an N-bit symmetric decryption key kb on the user UE side. Therefore, the multiple rounds of QNSC modulation and demodulation operations increase the complexity of key updates and management, which is not conducive to scenarios with frequent key pair updates when there are a large number of user state changes in the cloud network environment.

[0035] Furthermore, the third overhead block containing the time slot configuration table lacks protection during transmission at the FlexE Shim layer. If intercepted by an attacker, this would leak the transmission path, rendering the secure transmission mechanism for service data and overhead code blocks ineffective. Even if protection is provided, it is fully encrypted along with the service data block using OTN technology. The execution flow of the OTN encryption scheme is as follows: Figure 2 As shown in Figure 2, if the OSU payload block (i.e., the full service data code block) and the OSU overhead block (i.e., the overhead code block) are fully encrypted using the encryption scheme shown in Figure 2, multiple sets of secure multi-frames need to be formed and encrypted for transmission. However, this method greatly increases the encryption frequency, generates additional forwarding bandwidth resources, and affects the user experience.

[0036] To address the aforementioned issues, this application proposes a data encryption transmission method based on FlexE. The specific implementation of this method will be described in detail below. It should be noted that the steps shown in the flowcharts can be executed in a computer system such as a set of computer-executable instructions. Furthermore, although a logical order is shown in the flowcharts, in some cases, the steps shown or described may be executed in a different order than that presented here.

[0037] The methods and embodiments provided in this application can be executed on mobile terminals, computer terminals, or similar computing devices. Figure 3 A hardware block diagram of a computer terminal for implementing a FlexE-based data encryption transmission method is shown. Figure 3 As shown, the computer terminal 30 (or mobile device 30) may include one or more processors 302 (shown as 302a, 302b, ..., 302n in the figure) (processor 302 may include, but is not limited to, a microprocessor MCU or a programmable logic device FPGA, etc.), a memory 304 for storing data, and a transmission device 306 for communication functions. In addition, it may also include: a display, an input / output interface (I / O interface), a universal serial bus (USB) port (which may be included as one of the ports of a BUS bus), a network interface, a power supply, and / or a camera. Those skilled in the art will understand that... Figure 3 The structure shown is for illustrative purposes only and does not limit the structure of the aforementioned electronic device. For example, computer terminal 30 may also include... Figure 3 The more or fewer components shown, or having the same Figure 3 The different configurations shown.

[0038] It should be noted that the aforementioned one or more processors 302 and / or other data processing circuits are generally referred to herein as "data processing circuits". These data processing circuits may be embodied, in whole or in part, in software, hardware, firmware, or any other combination thereof. Furthermore, the data processing circuits may be a single, independent processing module, or may be integrated, in whole or in part, into any other element within the computer terminal 30 (or mobile device). As involved in the embodiments of this application, the data processing circuits serve as a processor control mechanism (e.g., selection of a variable resistor termination path connected to an interface).

[0039] The memory 304 can be used to store software programs and modules of application software, such as the program instructions / data storage device corresponding to the FlexE-based data encryption transmission method in this embodiment. The processor 302 executes various functional applications and data processing by running the software programs and modules stored in the memory 304, thereby implementing the FlexE-based data encryption transmission method of the aforementioned application. The memory 304 may include high-speed random access memory and may also include non-volatile memory, such as one or more magnetic storage devices, flash memory, or other non-volatile solid-state memory. In some instances, the memory 304 may further include memory remotely located relative to the processor 302, and these remote memories can be connected to the computer terminal 30 via a network. Examples of such networks include, but are not limited to, the Internet, corporate intranets, local area networks, mobile communication networks, and combinations thereof.

[0040] The transmission device 306 is used to receive or send data via a network. Specific examples of the network described above may include a wireless network provided by the communication provider of the computer terminal 30. In one example, the transmission device 306 includes a Network Interface Controller (NIC), which can connect to other network devices via a base station to communicate with the Internet. In another example, the transmission device 306 may be a Radio Frequency (RF) module, used for wireless communication with the Internet.

[0041] The display may be, for example, a touchscreen liquid crystal display (LCD) that allows the user to interact with the user interface of the computer terminal 30 (or mobile device).

[0042] In the above environment, Figure 4 This is a flowchart of an optional FlexE-based data encryption transmission method according to an embodiment of this application, such as... Figure 4 As shown, the method includes at least steps S402-S408, wherein:

[0043] Step S402: Determine the network slice identifier to be sent to the terminal, and determine the service data frame and overhead frame corresponding to the network slice identifier.

[0044] In the technical solution provided in step S402, the network slice identifier sent by the core network to the terminal is used to identify the network slice to which the terminal belongs, so that the core network can provide the terminal with corresponding quality of service and network resources. The network slice is used to divide network data frames into multiple independent virtual networks to meet the needs of different applications. The network data frame includes service data frames and overhead frames. Therefore, the core network can determine the service data frames and overhead frames corresponding to the network slice identifier assigned to the terminal. The service data frames include multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frames include multiple overhead code blocks. Typically, each set of service data includes no more than 1023*20 service data code blocks, and the overhead frames typically contain 8 overhead code blocks.

[0045] As an optional implementation, in the technical solution provided in step S402 above, the method may include: responding to a network service request from a terminal, establishing a network connection based on the terminal identifier of the terminal, and allocating a network slice identifier to the terminal based on the network connection, wherein the network slice identifier is used to segment network data frames, and the network data frame includes: a service data frame and an overhead frame; reconstructing the network slice identifier into a service data frame, and determining the overhead frame corresponding to the service data frame.

[0046] In this embodiment, the core network responds to the terminal's network service request and establishes a network connection between them based on the terminal's identifier. Then, the AMF (Access and Mobility Management Function) network element on the core network side allocates an SMF (Session Management Function) to the terminal. The SMF is responsible for managing the terminal's sessions and data transmission, and the AMF network element of the core network assigns a network slice identifier to the terminal, such as "TEST1366A". Next, the network slice identifier is reconstructed into multiple sets of service data blocks, and the overhead frame corresponding to the service data frame is determined. Subsequently, while transmitting each set of service data according to the time slot configuration table, an overhead block is also transmitted. That is, according to the time slot configuration table, an overhead block is sent for every 1023*20 service data blocks sent.

[0047] Step S404: Determine the target timeslot configuration table of the FlexE group to which the terminal belongs, and determine the first bandwidth value of multiple timeslot ports corresponding to each physical port in the FlexE group based on the target timeslot configuration table.

[0048] In the technical solution provided in step S404, the core network determines the target timeslot configuration table of the FlexE group to which the terminal belongs. Each FlexE group includes multiple physical ports, and each FlexE group corresponds to two timeslot configuration tables. The bandwidth values ​​corresponding to each timeslot port in the same timeslot configuration table may be inconsistent. Therefore, the core network can determine the first bandwidth value of multiple timeslot ports corresponding to each physical port in the FlexE group based on the target timeslot configuration table.

[0049] Step S406: Generate a key digest and a symmetric encryption key based on the first bandwidth value of multiple time slots, and encrypt the target overhead code block of the target time slot configuration table stored in the overhead frame based on the symmetric encryption key.

[0050] In the technical solution provided in step S406, the core network can generate a key digest and a symmetric encryption key based on the first bandwidth value of multiple time slots. The key digest is part of the private key sequence and can be represented as d. The symmetric encryption key can be represented as ka. Thus, the core network can encrypt only the target overhead code block of the target time slot configuration table stored in the overhead frame according to the symmetric encryption key, so as to achieve secure transmission of network slice identifiers with minimal resource consumption, and at the same time improve the user experience.

[0051] As an optional implementation, in the technical solution provided in step S406 above, the process of generating the key digest and the symmetric encryption key includes steps S4061-S4063, wherein:

[0052] Step S4061: Determine the target value based on the first bandwidth values ​​of multiple time slots, wherein the target value includes: the average value, mode value, median value of the bandwidth values ​​corresponding to multiple time slots, or a first value composed of the expected value and the standard deviation.

[0053] Step S4062: Determine the first value and the second value based on the target value, wherein the first value is any bandwidth value among the bandwidth values ​​corresponding to multiple time slots that is greater than the target value, and the second value is any bandwidth value among the bandwidth values ​​corresponding to multiple time slots that is less than the target value.

[0054] Step S4063: A key digest is formed by the first time slot number corresponding to the first value, the target value, and the terminal identifier, and a symmetric encryption key is formed by the second time slot number corresponding to the second value, the target value, and the terminal identifier.

[0055] In the above embodiments, specifically, the core network can first calculate the average, mode, median, or a first value composed of the expected value and standard deviation of the first bandwidth values ​​of multiple time slots, and select any one of them as the target value; then, according to the target value, select the time slot number corresponding to any bandwidth value higher than the target value as the first value, and select the time slot number corresponding to the bandwidth value lower than the target value as the second value; finally, the first time slot number corresponding to the first value, the target value, and the terminal ID (i.e., the terminal identifier) ​​are used to form the key digest d, and the second time slot number corresponding to the second value, the target value, and the terminal ID are used to form the symmetric encryption key ka.

[0056] Optionally, in the technical solution provided in step S4062 above, the process of determining the first value and the second value further includes: determining the target value and a preset skewness standard to determine the first value and the second value, wherein, when the skewness standard is less than 0 or greater than 0, a first target value is determined, and when the bandwidth value corresponding to multiple time slots is greater than multiple first target values, the first value and the second value are determined based on the larger first target value, wherein the first target value includes at least one of the following: average value, median value, mode value; when the skewness standard is equal to 0, a second target value is determined, and when the bandwidth value corresponding to multiple time slots is greater than multiple second target values, the first value and the second value are determined based on the larger second target value, wherein the second target value includes at least one of the following: the difference between the expected value and the standard deviation, the expected value, the sum of the expected value and the standard deviation.

[0057] The generation process of key digests and symmetric encryption keys will be explained below using examples of skewness greater than 0, skewness equal to 0, and skewness less than 0. It should be noted that since the time slot configuration table corresponding to each FlexE group can configure multiple terminals, and the number of time slots configured for each terminal is not exactly equal, the following explanation will use multiple terminals (i.e., user A, user B, and user C).

[0058] Specifically, Figure 5a This is an optional distribution diagram of the bandwidth values ​​corresponding to each time slot within a FlexE group according to an embodiment of this application, such as... Figure 5a As shown, when the skewness is greater than 0, the larger of the mean, median, and mode can be used as the target value. The largest bandwidth value greater than the target value is selected from the bandwidth values ​​corresponding to multiple time slots as the first value, and the key digest d of each terminal is obtained from this (where the key digest is used to reconstruct the private key sequence). Therefore, the key digest d of user A can be recorded as 11-21-mean-terminal ID corresponding to user A, the key digest d of user B can be recorded as 01-09-median-terminal ID corresponding to user B, and the key digest d of user C can be recorded as 44-32-mode-terminal ID corresponding to user C. Next, the bandwidth values ​​other than the first value in the bandwidth values ​​corresponding to each terminal are taken as the second value, and the symmetric encryption key ka of each terminal is obtained from this. Therefore, the symmetric encryption key ka of user A can be recorded as 05-10-07-33-22-04-mean-terminal ID corresponding to user A, the symmetric encryption key ka of user B can be recorded as 14-12-25-median-terminal ID corresponding to user B, and the symmetric encryption key ka of user C can be recorded as 03-98-06-mode-terminal ID corresponding to user C.

[0059] Figure 5b This is another optional distribution diagram of the bandwidth values ​​corresponding to each time slot within the FlexE group in this application embodiment, such as... Figure 5b As shown, when the skewness is equal to 0, the expected value μ and the expected value μ can be... The larger of the standard deviations δ is taken as the target value. A bandwidth value greater than the target value is selected from the bandwidth values ​​corresponding to multiple time slots as the first value, and the key digest d for each terminal is obtained from this. Therefore, the key digest d for user A can be denoted as 04-μ+δ-terminal ID corresponding to user A, the key digest d for user B can be denoted as 09-μ-terminal ID corresponding to user B, and the key digest d for user C can be denoted as 44-μ-δ-terminal ID corresponding to user C. Next, the bandwidth values ​​other than the first value are taken as the second value, and the symmetric encryption key ka for each terminal is obtained from this. Therefore, the symmetric encryption key ka for user A can be denoted as 05-10-07-11-33-22-01-μ+δ-terminal ID corresponding to user A, the symmetric encryption key ka for user B can be denoted as 14-12-25-μ--terminal ID corresponding to user B, and the symmetric encryption key ka for user C can be denoted as 32-03-98-06-μ-δ-terminal ID corresponding to user C.

[0060] Figure 5c This is another optional distribution diagram of the bandwidth values ​​corresponding to each time slot within the FlexE group in this application embodiment, such as... Figure 5c As shown, when the skewness is less than 0, similar to when the skewness is greater than 0, the larger value among the mean, median, and mode can be used as the target value. Then, the bandwidth value greater than the target value is selected from the bandwidth values ​​corresponding to multiple time slots as the first value, and the key digest d of each terminal is obtained from this. Therefore, the key digest d of user A can be recorded as 07-mode-terminal ID corresponding to user A, the key digest d of user B can be recorded as 25-median-terminal ID corresponding to user B, and the key digest d of user C can be recorded as 03-98-mean-terminal ID corresponding to user C. Next, the bandwidth values ​​other than the first value among the multiple bandwidth values ​​corresponding to each terminal are taken as the second value, and the symmetric encryption key ka of each terminal is obtained from this. Therefore, the symmetric encryption key ka of user A can be recorded as 05-10-11-21-33-22-mode-terminal ID corresponding to user A, the symmetric encryption key ka of user B can be recorded as 04-01-09-14-12-median-terminal ID corresponding to user B, and the symmetric encryption key ka of user C can be recorded as 44-32-08-mean-terminal ID corresponding to user C.

[0061] Furthermore, after obtaining the symmetric encryption key, the core network will also encrypt the target overhead code block of the target time slot configuration table stored in the overhead frame based on the symmetric encryption key. This significantly reduces the frequency of full encryption and decryption of service data code blocks and overhead code blocks during transmission while protecting the target overhead code. This ensures transmission security while minimizing the occupation of cloud network computing instances and forwarding resources, effectively improving the user experience.

[0062] Step S408: The encrypted ciphertext is composed of the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and the encrypted ciphertext is transmitted to the terminal.

[0063] In the technical solution provided in step S408, the core network can transmit encrypted ciphertext, consisting of an encrypted target overhead block (i.e., an encrypted target time slot configuration table), the i-th set of service data transmitted according to the target time slot configuration table, and a key digest, to the terminal, thereby ensuring the secure transmission of the service data set. Here, i is a positive integer greater than or equal to 1. Furthermore, since each FlexE group corresponds to two time slot configuration tables (i.e., a first time slot configuration table and a second time slot configuration table), and these two time slot configuration tables are stored respectively in the Calendar A codeword and Calendar B codeword of the target overhead code block of each overhead frame, the secure transmission of the network slice identifier is protected by randomizing the time slot configuration table switching mechanism when transmitting the service data set. Therefore, this application embodiment aims to compensate for the lack of a time slot table switching mechanism when the user has no bandwidth adjustment requirements, and proposes to alternately use the first time slot configuration table and the second time slot configuration table to transmit different service data sets to the terminal. The first time slot configuration table includes: a first sub-time slot table corresponding to multiple physical ports, and the second time slot configuration table includes: a second sub-time slot table corresponding to multiple physical ports. After receiving the encrypted ciphertext, the terminal decrypts it to obtain the business data set.

[0064] As an optional implementation, in the technical solution provided in step S408 above, transmitting the i-th group of service data sets according to the target time slot configuration table includes:

[0065] When i equals 1, it is determined that the first set of service data will be transmitted according to the first target time slot configuration table, wherein the first target time slot configuration table includes: a first time slot configuration table or a second time slot configuration table;

[0066] When i is greater than 1, it is determined that the i-th group of service data sets will be transmitted according to the second target time slot configuration table. The second target time slot configuration table includes: based on the first transmission delay of transmitting the i-1 group of service data sets according to the first sub-time slot table for each physical port, the priority of the first sub-time slot table corresponding to the physical port with the larger first transmission delay in the second time slot configuration table is reduced, resulting in an adjusted second time slot configuration table; or, based on the second transmission delay of transmitting the i-1 group of service data sets according to the second sub-time slot table for each physical port, the priority of the second sub-time slot table corresponding to the physical port with the larger second transmission delay in the first time slot configuration table is reduced.

[0067] The above can be understood as follows: when transmitting the first set of service data consisting of 1023*20 service data blocks, this set of service data can be transmitted directly according to either the first time slot configuration table or the second time slot configuration table. However, when transmitting the second set of service data consisting of 1023*20 service data blocks, if the first time slot configuration table used initially may have performance bottlenecks, the priority order of each first sub-time slot table in the second time slot configuration table can be adjusted according to the performance of its corresponding first sub-time slot table, and the set of service data can be transmitted according to the adjusted second target time slot configuration table. It should be noted that the priority order of each sub-time slot table in the original first time slot configuration table and the second time slot configuration table is consistent.

[0068] For example, taking the network slice identifier "TEST1366A" as an example, Figure 6 This is a schematic diagram illustrating the principle of an optional time slot table slicing according to an embodiment of this application, as shown below. Figure 6 As shown, the existing FlexE time slot mapping switching mechanism only switches the time slot configuration table between Calendar A codeword and Calendar B codeword when the user's quality of service requirements change. It typically uses the original time slot configuration table to transmit the service data code block corresponding to the network slice identifier, such as... Figure 6 As shown in steps 1-2a, when the first time slot configuration table of Calendar A is leaked, the attacker can obtain the service data code blocks transmitted by each time slot of the physical port PHYA1 to A4 according to the configuration order of the leaked first time slot configuration table, thereby restoring the network slice identifier "TEST1366A".

[0069] However, in order to avoid the above-mentioned problems, this application proposes that when the user does not need to adjust the bandwidth, the two ends of the FlexE layer can adjust the first time slot configuration table in the Calendar A codeword according to the delay change magnitude of each service data set when it reaches the physical port during the current transmission process based on the network slice identifier. After forming a new time slot configuration table, it is stored in the Calendar B codeword and used for the transmission of the next set of service data sets.

[0070] In other words, as shown in step S2b, the first delay changes of each physical port PHYA1 to A4 are recorded at both ends of the FlexE Shim layer when transmitting a set of service data according to the first time slot configuration table. That is, the transmission delay changes of the “TEST” part are recorded. The top N absolute values ​​of the first delay changes (N can be 2 in this embodiment) are selected, and the priority of the first sub-time slot table corresponding to the physical port with the top N absolute values ​​of the first delay changes is reduced in the second time slot configuration table stored in the Calendar B codeword. As shown in steps 3b-4b, when PHYA1 and PHYA3 transmit the “TEST” part, the absolute value of the delay change of each service data code block arriving at the physical port is relatively large. Therefore, the priority of the first sub-time slot table containing the identifiers “T” and “S” in the second time slot configuration table is reduced. Since “1” and “6” are allocated to the two physical ports PHYA1 and PHYA3 in the second round of transmission, when the attacker transmits according to the original Calendar B codeword, the first sub-time slot table containing the identifiers “T” and “S” is reduced in the second time slot configuration table. The network slice identifier restored from the first time slot configuration of A is "TEST36A16", therefore it cannot perform unauthorized access to the network resources corresponding to the network slice identifier "TEST1366A".

[0071] Since the technical solution for switching the second time slot configuration table to the first time slot configuration table is similar to the technical solution for switching the first time slot configuration table to the second time slot configuration table, the specific implementation process is not described in detail. You can refer to the example description of the technical solution for switching the first time slot configuration table to the second time slot configuration table.

[0072] Furthermore, the process of the terminal generating a symmetric decryption key based on the key digest includes: the terminal obtaining the target value based on the key digest, and determining the third time slot number corresponding to the second bandwidth value less than or equal to the target value based on the second bandwidth value of the service data code block in the i-th group of service data sets received by multiple time slots corresponding to each physical port according to the target sub-time slot table; and generating the symmetric decryption key by using the third time slot number, the target value, and the terminal identifier. Since the target time slot configuration table is not visible to the terminal, the terminal only enumerates the bandwidth values ​​of different time slots sequentially based on the service data code blocks received by each physical port, thereby forming a bandwidth contingency table.

[0073] Specifically, since the target time slot configuration table includes multiple target sub-time slot tables, the terminal can first obtain the target value based on the key digest d, which is any one of the average, mode, median, or standard deviation of the expected value of the bandwidth value. Then, based on the second bandwidth value of the service data code block in the i-th group of service data blocks received by multiple time slots corresponding to each physical port near the FlexE Shim layer-user side according to the target sub-time slot, the terminal determines the third time slot port number corresponding to the bandwidth value whose second bandwidth value of multiple time slot ports is not greater than the target value. The terminal side's symmetric decryption key is generated by the third time slot port number, the target value, and the terminal identifier. Thus, due to the opacity of the bandwidth data distribution characteristics of the core network and the terminal, the difficulty for attackers to recover the symmetric key is greatly increased.

[0074] Based on the scheme defined in steps S402 to S408 above, it can be understood that in the embodiment, a network slice identifier to be sent to the terminal is determined, and a service data frame and an overhead frame corresponding to the network slice identifier are determined. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. A target time slot configuration table for the FlexE group to which the terminal belongs is determined, and the first bandwidth value of multiple time slot ports corresponding to each physical port in the FlexE group is determined based on the target time slot configuration table. A key digest and a symmetric encryption key are generated based on the first bandwidth values ​​of the multiple time slot ports, and the target overhead code block storing the target time slot configuration table in the overhead frame is encrypted based on the symmetric encryption key. An encrypted ciphertext is composed of the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and the encrypted ciphertext is transmitted to the terminal. The terminal uses the symmetric decryption key generated based on the key digest to decrypt the encrypted target overhead block, obtain the target time slot configuration table, and recover the service data set according to the target time slot configuration table. i is a positive integer greater than or equal to 1.

[0075] Using the above method, a highly secure symmetric key can be obtained by performing only one round of statistics on both the core network side and the terminal side. Furthermore, the randomness of the bandwidth values ​​of each time slot port in the target time slot configuration table of the core network used to generate the symmetric key, as well as the randomness of the bandwidth values ​​of each physical port on the terminal side when receiving service data code blocks according to the template time slot configuration table, combined with the randomness of the statistical values ​​of the selected bandwidth values, exceeds the randomness of existing encryption technologies (i.e., the BER of N rounds of QNSC modulation and demodulation). Moreover, it is superior to existing encryption technologies in terms of both security and cost-effectiveness. Furthermore, in this embodiment, a symmetric encryption key is used to encrypt the target overhead code block of the target time slot configuration table. Based on the latency information of the service data code block transmitted by each physical port in a time slot configuration table, the priority of the sub-time slot table corresponding to the physical port with the TOP N absolute value changes is adjusted in another time slot configuration table to form the time slot configuration table used in the next round (that is, the priority order of each sub-time slot table in the time slot configuration table used for each transmission of network slice identifier is mostly different). This ensures that the time slot port data and physical port data at both ends of the FlexE shim layer are not visible to the outside world. Even if an attacker intercepts the key digest used to restore the decryption key, he still cannot restore the symmetric encryption key ka or the symmetric decryption key kb.

[0076] Example 2

[0077] According to embodiments of this application, a FlexE-based data encryption transmission system for implementing the above-described FlexE-based data encryption transmission method is also provided. Figure 7 This is a schematic diagram of an optional FlexE-based data encryption transmission system according to an embodiment of this application, as shown below. Figure 7 As shown, the system 70 includes at least a core network 71 and a terminal 72, wherein:

[0078] Core network 71 is used to determine the network slice identifier to be sent to terminal 72, and to determine the service data frame and overhead frame corresponding to the network slice identifier. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. Core network 71 is used to determine the target time slot configuration table of the FlexE group to which the terminal belongs, and to determine the first bandwidth value of multiple time slots corresponding to each physical port in the FlexE group based on the target time slot configuration table. Core network 71 is used to generate a key digest and a symmetric encryption key based on the first bandwidth value of multiple time slots, and to encrypt the target overhead code block storing the target time slot configuration table in the overhead frame based on the symmetric encryption key. Core network 71 is used to form an encrypted ciphertext by the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and to transmit the encrypted ciphertext to terminal 72, where i is a positive integer greater than or equal to 1.

[0079] Terminal 72 is used to decrypt the encrypted target overhead block based on the symmetric decryption key generated by the key digest, obtain the target time slot configuration table, and restore the service data set based on the target time slot configuration table.

[0080] Optionally, the system also includes a bearer network 73, wherein the FlexE shim layer of the bearer network 73 is used to determine the target time slot configuration table for each set of service data transmitted from the core network 71 to the terminal 72. Specifically, the Calendar A codeword and Calendar B codeword of the target overhead code block of each overhead frame store the first time slot configuration table and the second time slot configuration table, respectively, and the first time slot configuration table and the second time slot configuration table are used to transmit different sets of service data to the terminal. The first time slot configuration table includes a first sub-time slot table corresponding to multiple physical ports, and the second time slot configuration table includes a second sub-time slot table corresponding to multiple physical ports.

[0081] Therefore, when users do not require bandwidth adjustment, the target time slot configuration table for transmitting the i-th set of service data can be determined as follows: When i equals 1, the core network 71 directly transmits the first set of service data to the terminal 72 according to the first target time slot configuration table, wherein the FlexE shim layer uses either the first time slot configuration table or the second time slot configuration table as the first target time slot configuration table; when i is greater than 1, the core network 71 determines to transmit the i-th set of service data to the terminal 72 according to the second .... The shim layer transmits the first transmission delay of the (i-1)th group of service data sets according to the first sub-time slot table of each physical port, and reduces the priority of the first sub-time slot table corresponding to the physical port with the larger first transmission delay in the second time slot configuration table, and uses the adjusted second time slot configuration table as the second target time slot configuration table; or, the bearer network 73 transmits the second transmission delay of the (i-1)th group of service data sets according to the second sub-time slot table of each physical port, and reduces the priority of the second sub-time slot table corresponding to the physical port with the larger second transmission delay in the first time slot configuration table, and uses the adjusted first time slot table as the second target time slot configuration table.

[0082] As an optional implementation method, Figure 8 This is an interactive flowchart of an optional FlexE-based data encryption transmission system according to an embodiment of this application, such as... Figure 8 As shown, the interaction process of the FlexE-based data encryption transmission system will be explained using the transmission of the third set of service data according to the second time slot configuration table in the Calendar B codeword as an example.

[0083] Step S1: Terminal 72 initiates an attachment to the authentication and authorization network element of core network 71 based on the terminal identifier to establish a network connection;

[0084] In step S2, the resource allocation network element of the core network 71 determines the network slice identifier to be sent to the terminal 72, and determines multiple sets of service data corresponding to the network slice identifier, wherein each set of service data includes 1023*20 service data code blocks.

[0085] Step S3: The FlexE shim layer of the bearer network 73 records the delay changes of each service data code block arriving at multiple time slots of the physical port when transmitting the second set of service data according to the first time slot configuration table, and obtains the adjusted second time slot configuration table according to the priority of the first sub-time slot table of the physical port with the larger absolute value of delay change in the second time slot configuration table.

[0086] Step S4: The encryption unit of the core network 71 performs statistics on the bandwidth values ​​corresponding to multiple time slots of each physical port in the second time slot configuration table of the FlexE group to which the terminal belongs.

[0087] Step S5: The encryption unit of core network 71 generates a key digest and a symmetric encryption key based on the bandwidth values ​​and terminal identifiers corresponding to multiple time slots.

[0088] Step S6: The resource allocation network element of the core network 71 provides the target overhead code block of the second time slot configuration table with storage adjustment to the encryption unit;

[0089] Step S7: The encryption unit of the core network 71 encrypts the target overhead code block using a symmetric encryption key;

[0090] In step S8, the encryption unit of the core network 71 sends the encrypted target overhead code block and the symmetric encryption key to the resource allocation network element;

[0091] Step S9: The resource allocation network element of the core network 71 transmits the encrypted target overhead code block to the terminal 72, which consists of the third set of service data transmitted according to the adjusted second time slot configuration table and the encrypted ciphertext composed of the symmetric encryption key.

[0092] In step S10, terminal 72 generates a symmetric decryption key based on the key digest and decrypts the encrypted target overhead block based on the symmetric decryption key to obtain the adjusted second time slot configuration table. Thus, terminal 72 can receive the third set of service data according to the adjusted second time slot configuration table.

[0093] Example 3

[0094] According to an embodiment of this application, a FlexE-based data encryption transmission apparatus for implementing the above-described FlexE-based data encryption transmission method is also provided. Figure 9 This is a schematic diagram of an optional FlexE-based data encryption transmission device according to an embodiment of this application, as shown below. Figure 9As shown, the device includes at least a first determining module 91, a second determining module 92, an encryption module 93, and a transmission module 94, wherein:

[0095] The first determining module 91 is used to determine the network slice identifier sent to the terminal, and to determine the service data frame and overhead frame corresponding to the network slice identifier. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks.

[0096] The second determining module 92 is used to determine the target time slot configuration table of the FlexE group to which the terminal belongs, and to determine the first bandwidth value of multiple time slots corresponding to each physical port in the FlexE group based on the target time slot configuration table.

[0097] The encryption module 93 is used to generate a key digest and a symmetric encryption key based on the first bandwidth value of multiple time slots, and to encrypt the target overhead code block of the target time slot configuration table stored in the overhead frame based on the symmetric encryption key;

[0098] The transmission module 94 is used to assemble an encrypted ciphertext from the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmit the encrypted ciphertext to the terminal. The terminal is used to decrypt the encrypted target overhead block according to the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and to recover the service data set according to the target time slot configuration table, where i is a positive integer greater than or equal to 1.

[0099] It should be noted that each part of the data encryption transmission device based on FlexE in this application corresponds one-to-one with each implementation step of the data encryption transmission method based on FlexE in Embodiment 1. Since Embodiment 1 has been described in detail, some details not shown in this embodiment can be referred to Embodiment 1, and will not be elaborated further here.

[0100] Example 4

[0101] According to an embodiment of this application, a non-volatile storage medium is also provided, which includes a stored program, wherein the device where the non-volatile storage medium is located executes the FlexE-based data encryption transmission method in Embodiment 1 by running the program.

[0102] Specifically, the device containing the non-volatile storage medium executes the following steps by running this program: determining the network slice identifier to be sent to the terminal, and determining the service data frame and overhead frame corresponding to the network slice identifier. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. The target time slot configuration table of the FlexE group to which the terminal belongs is determined, and the first bandwidth value of multiple time slot ports corresponding to each physical port within the FlexE group is determined based on the target time slot configuration table. A key digest and a symmetric encryption key are generated based on the first bandwidth values ​​of the multiple time slot ports, and the target overhead code block storing the target time slot configuration table in the overhead frame is encrypted based on the symmetric encryption key. An encrypted ciphertext is composed of the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest. The encrypted ciphertext is transmitted to the terminal, where the terminal uses the symmetric decryption key generated from the key digest to decrypt the encrypted target overhead block, obtain the target time slot configuration table, and recover the service data set according to the target time slot configuration table. Here, i is a positive integer greater than or equal to 1.

[0103] According to an embodiment of this application, a processor is also provided for running a program, wherein the program executes the FlexE-based data encryption transmission method in embodiment 1 during runtime.

[0104] Specifically, the program executes the following steps during runtime: It determines the network slice identifier to be sent to the terminal, and determines the service data frame and overhead frame corresponding to the network slice identifier. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. It determines the target time slot configuration table for the FlexE group to which the terminal belongs, and determines the first bandwidth value of multiple time slots corresponding to each physical port within the FlexE group based on the target time slot configuration table. It generates a key digest and a symmetric encryption key based on the first bandwidth values ​​of the multiple time slots, and encrypts the target overhead code block storing the target time slot configuration table within the overhead frame based on the symmetric encryption key. It assembles an encrypted ciphertext from the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmits the encrypted ciphertext to the terminal. The terminal uses the symmetric decryption key generated from the key digest to decrypt the encrypted target overhead block, obtain the target time slot configuration table, and recover the service data set based on the target time slot configuration table. Here, i is a positive integer greater than or equal to 1.

[0105] According to an embodiment of this application, an electronic device is also provided, comprising: a memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the FlexE-based data encryption transmission method of Embodiment 1 through the computer program.

[0106] Specifically, the processor is configured to execute the following steps via a computer program: determine the network slice identifier to be sent to the terminal, and determine the service data frame and overhead frame corresponding to the network slice identifier, wherein the service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks, and the overhead frame includes multiple overhead code blocks; determine the target time slot configuration table of the FlexE group to which the terminal belongs, and determine the first bandwidth value of multiple time slot ports corresponding to each physical port in the FlexE group based on the target time slot configuration table; generate a key digest and a symmetric encryption key based on the first bandwidth value of the multiple time slot ports, and encrypt the target overhead code block storing the target time slot configuration table in the overhead frame based on the symmetric encryption key; compose an encrypted ciphertext from the encrypted target overhead block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmit the encrypted ciphertext to the terminal, wherein the terminal is used to decrypt the encrypted target overhead block according to the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and recover the service data set according to the target time slot configuration table, where i is a positive integer greater than or equal to 1.

[0107] The sequence numbers of the embodiments in this application are for descriptive purposes only and do not represent the superiority or inferiority of the embodiments.

[0108] In the above embodiments of this application, the descriptions of each embodiment have different focuses. For parts not described in detail in a certain embodiment, please refer to the relevant descriptions of other embodiments.

[0109] In the several embodiments provided in this application, it should be understood that the disclosed technical content can be implemented in other ways. The device embodiments described above are merely illustrative; for example, the division of units can be a logical functional division, and in actual implementation, there may be other division methods. For example, multiple units or components may be combined or integrated into another system, or some features may be ignored or not executed. Furthermore, the displayed or discussed mutual couplings, direct couplings, or communication connections may be through some interfaces; indirect couplings or communication connections between units or modules may be electrical or other forms.

[0110] The units described as separate components may or may not be physically separate. The components shown as units may or may not be physical units; that is, they may be located in one place or distributed across multiple units. Some or all of the units can be selected to achieve the purpose of this embodiment according to actual needs.

[0111] Furthermore, the functional units in the various embodiments of this application can be integrated into one processing unit, or each unit can exist physically separately, or two or more units can be integrated into one unit. The integrated unit can be implemented in hardware or as a software functional unit.

[0112] If the integrated unit is implemented as a software functional unit and sold or used as an independent product, it can be stored in a computer-readable storage medium. Based on this understanding, the technical solution of this application, in essence, or the part that contributes to the prior art, or all or part of the technical solution, can be embodied in the form of a software product. This computer software product is stored in a storage medium and includes several instructions to cause a computer device (which may be a personal computer, server, or network device, etc.) to execute all or part of the steps of the methods of the various embodiments of this application. The aforementioned storage medium includes various media capable of storing program code, such as a USB flash drive, read-only memory (ROM), random access memory (RAM), portable hard drive, magnetic disk, or optical disk.

[0113] The above are merely preferred embodiments of this application. It should be noted that those skilled in the art can make various improvements and modifications without departing from the principles of this application, and these improvements and modifications should also be considered within the scope of protection of this application.

Claims

1. A data encryption transmission method based on FlexE, characterized in that, include: The network slice identifier to be sent to the terminal is determined, and the service data frame and overhead frame corresponding to the network slice identifier are determined. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. Determine the target time slot configuration table of the FlexE group to which the terminal belongs, and determine the first bandwidth value of multiple time slots corresponding to each physical port in the FlexE group based on the target time slot configuration table; A key digest and a symmetric encryption key are generated based on the first bandwidth values ​​of the multiple time slots, and the target overhead code block storing the target time slot configuration table is encrypted based on the symmetric encryption key; An encrypted ciphertext is composed of the encrypted target overhead code block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest. The encrypted ciphertext is then transmitted to the terminal. The terminal is used to decrypt the encrypted target overhead code block based on the symmetric decryption key generated by the key digest to obtain the target time slot configuration table, and to recover the service data set based on the target time slot configuration table. i is a positive integer greater than or equal to 1.

2. The method according to claim 1, characterized in that, Determine the network slice identifier to be sent to the terminal, and determine the service data frame and overhead frame corresponding to the network slice identifier, including: In response to the network service request of the terminal, a network connection is established based on the terminal identifier of the terminal, and a network slice identifier is allocated to the terminal based on the network connection, wherein the network slice identifier is used to segment network data frames, and the network data frames include: the service data frames and the overhead frames; The network slice identifier is reconstructed into the service data frame, and the overhead frame corresponding to the service data frame is determined.

3. The method according to claim 1, characterized in that, Generate a key digest and a symmetric encryption key based on the first bandwidth values ​​of multiple time slots, including: A target value is determined based on the first bandwidth values ​​of multiple time slots, wherein the target value includes: the average value, mode value, median value, or a first value composed of the expected value and the standard deviation value of the bandwidth values ​​corresponding to the multiple time slots; A first value and a second value are determined based on the target value, wherein the first value is any bandwidth value among the bandwidth values ​​corresponding to the plurality of time slots that is greater than the target value, and the second value is any bandwidth value among the bandwidth values ​​corresponding to the plurality of time slots that is not greater than the target value. The key digest is composed of the first time slot number corresponding to the first value, the target value, and the terminal identifier of the terminal, and the symmetric encryption key is composed of the second time slot number corresponding to the second value, the target value, and the terminal identifier.

4. The method according to claim 3, characterized in that, Determining the first and second values ​​based on the target values ​​includes: The first value and the second value are determined by determining the target value and the preset skewness standard, wherein, When the skewness standard is less than 0 or greater than 0, a first target value is determined, and when the bandwidth value corresponding to multiple time slots is greater than multiple first target values, the first value and the second value are determined based on the larger first target value, wherein the first target value includes at least one of the following: average value, median value, and mode value; When the skewness standard is equal to 0, a second target value is determined, and when the bandwidth value corresponding to multiple time slots is greater than multiple second target values, the first value and the second value are determined based on the larger second target value, wherein the second target value includes at least one of the following: the difference between the expected value and the standard deviation, the expected value, and the sum of the expected value and the standard deviation.

5. The method according to claim 1, characterized in that, The Calendar A codeword and Calendar B codeword of the target overhead code block of each overhead frame store a first time slot configuration table and a second time slot configuration table, respectively. The first time slot configuration table and the second time slot configuration table are used to transmit different service data sets to the terminal. The first time slot configuration table includes a first sub-time slot table corresponding to multiple physical ports, and the second time slot configuration table includes a second sub-time slot table corresponding to multiple physical ports.

6. The method according to claim 5, characterized in that, Transmit the i-th set of service data according to the target time slot configuration table, including: When i equals 1, it is determined that the first group of service data sets will be transmitted according to the first target time slot configuration table, wherein the first target time slot configuration table includes: the first time slot configuration table or the second time slot configuration table; When i is greater than 1, it is determined that the i-th group of service data sets will be transmitted according to the second target time slot configuration table. The second target time slot configuration table includes: based on the first transmission delay of transmitting the (i-1)-th group of service data sets according to the first sub-time slot table for each physical port, the priority of the first sub-time slot table corresponding to the physical port with the larger first transmission delay in the second time slot configuration table is reduced, thereby obtaining an adjusted second time slot configuration table; or, based on the second transmission delay of transmitting the (i-1)-th group of service data sets according to the second sub-time slot table for each physical port, the priority of the second sub-time slot table corresponding to the physical port with the larger second transmission delay in the first time slot configuration table is reduced, thereby obtaining an adjusted first time slot configuration table.

7. The method according to claim 3, characterized in that, The target time slot configuration table includes multiple target sub-time slot tables, wherein the process by which the terminal generates a symmetric decryption key based on the key digest includes: The terminal obtains the target value based on the key digest, and determines the third time slot number corresponding to the second bandwidth value less than or equal to the target value based on the second bandwidth value of the service data code block in the i-th group of service data according to the multiple time slots corresponding to each physical port and the target sub-time slot table. The symmetric decryption key is generated by the third time slot number, the target value and the terminal identifier.

8. A data encryption transmission system based on FlexE, characterized in that, include: Core network and terminals, among which, The core network is used to determine the network slice identifier to be sent to the terminal, and to determine the service data frame and overhead frame corresponding to the network slice identifier. The service data frame includes multiple sets of service data, and each set of service data includes multiple service data code blocks. The overhead frame includes multiple overhead code blocks. The core network also determines the target time slot configuration table for the FlexE group to which the terminal belongs, and determines the first bandwidth value of multiple time slots corresponding to each physical port within the FlexE group based on the target time slot configuration table. It generates a key digest and a symmetric encryption key based on the first bandwidth values ​​of the multiple time slots, and encrypts the target overhead code block storing the target time slot configuration table within the overhead frame based on the symmetric encryption key. Finally, it constructs an encrypted ciphertext from the encrypted target overhead code block, the i-th set of service data transmitted according to the target time slot configuration table, and the key digest, and transmits the encrypted ciphertext to the terminal, where i is a positive integer greater than or equal to 1. The terminal is used to decrypt the encrypted target overhead code block based on the symmetric decryption key generated by the key digest, to obtain the target time slot configuration table, and to restore the service data set based on the target time slot configuration table.

9. A non-volatile storage medium, characterized in that, The non-volatile storage medium includes a stored program, wherein the device containing the non-volatile storage medium executes the data encryption transmission method based on any one of claims 1 to 7 by running the program.

10. An electronic device, characterized in that, include: A memory and a processor, wherein the memory stores a computer program, and the processor is configured to execute the FlexE-based data encryption transmission method according to any one of claims 1 to 7 via the computer program.