Secure fiber-optic communication system based on Internet-accessible multipath transmission of ciphertext fragments

Ya Jin; Ya Jin; Ya Jin; Yichao Qi; Yichao Qi; Yichao Qi; Yinfang Chen; Wei Chen; Wei Li; Ninghua Zhu

doi:10.1364/OE.430035

1. Introduction

Driven by the rising demand for higher bandwidth and faster speed connections for a variety of industrial and residential purposes, fiber-optic communication technology has been advancing rapidly in recent years, greatly supporting our society and economy [1,2]. However, with so many eavesdropping incidents came to light, the security of fiber-optic communication have got more and more concerns from academics, governments and businesses. Especially in the traditional long-distance communications over the Internet, the problem of user data being hacked by illegal third parties is even more serious [3–5].

Most of the existing secure communication mechanisms can be classified into two types: methods based on encryption and decryption algorithms at the software layer and those exploiting the physical uncertainty inherent to the noisy channel at the physical layer. Methods based on algorithms are mostly relative to a complicated mathematical problem, and their effectiveness has been threatened with a huge increase in computing power [6]. Compared with conventional digital signal encryption, the physical layer security (PLS) technology does not require to implement any extra security schemes or algorithms on other layers above the physical layer. Therefore, PLS technologies have been widely investigated owing to their validity and uniqueness [7]. Chaotic optical communication was originally proposed to provide high-level physical layer encryption. In this type of communication, the user message signal is transmitted using chaotic carrier signal and retrieved at receiver upon synchronization with transmitter [8,9]. However, completely compensating the high-order dispersion and fiber nonlinearity in the optical domain has great challenges, therefore limiting the transmission distance of high-speed chaotic optical communications [10–13]. Quantum optical communication is proved to be safe in theory, but practical constraints in quantum key distribution (QKD) system deployment, such as optical loss in the transmission medium and precision tolerances of the components, appear to limit the current generation of QKD systems to about 200 km [14]. Optical code division multiple access (OCDMA) techniques are widely preferred because sharing the bandwidth of optical fiber among multiple active users. However, it has been observed: an eavesdropper based on a simple energy detector can easily read the information being transmitted by a single user using on–off keying [15].

Multipath transmission of ciphertext fragments (MTCF) is another promising hardware-based technique, which is mainly realized by the hopping of encrypted digital signals among different channels. The data from any source is firstly separated into small fragments in the time domain, and the length of these fragments can be adjusted manually according to the real-time quality of the communication. After been converted into ciphertext by the algorithm, these fragments are carried by multiple paths under the control of random sequence. As early as 2010, our laboratory firstly verified the principle of dual-wavelength multipath transmission, and the communication rate reached 155Mb/s [16]; in 2016, S. Wang et al. introduced the field-programmable gate array (FPGA) platform to replace the original optical switch in the system to gets rid of the limitation of the switching rate and achieve high-speed data distribution [17]; in 2018, Q. Huang et al. expanded this technology into free space, and the transmission rate reached 1Gb/s [18]; in 2019, D. Ban et al. proposed two new structures based on the original experimental framework, which have also been verified by simulation [19,20]. However, these researches have been limited to point-to-point communication, and cannot be applied to scenarios with long distance and multi-user access. In this paper, a secure fiber-optic communication system based on Internet-accessible MTCF technology is proposed and demonstrated. And we carried out a field experiment between Beijing and Xiongan to verify the scheme. Besides, the security performance of the proposed scheme is also analyzed.

2. Principle

The general architecture of Internet-accessible MTCF communication system is an N × N network with N independent paths. Figure 1 shows a 4 ${\times} $ 4 schematic illustration of the proposed system. In conventional fiber-optic communications, the complete data of a single user is usually transmitted along with a single path corresponding to a specific value in a specific physical dimension (such as wavelength, polarization, mode, etc.). In our scheme, by introducing the control of pseudo-random binary sequence (PRBS), the complete data of a single user is firstly encrypted by the algorithm and divided into ciphertext fragments, and then randomly assign to multiple different paths for transmission. Specifically, the PRBS is generated by a linear feedback shift register (LFSR), and its internal feedback connection and sequence structure can be characterized by a characteristic equation, which is given by

(1)$$f(x) = {a_0} + {a_1}x + {a_2}{x^2} + {a_3}{x^3} +{\cdot}{\cdot} \cdot{+} {a_n}{x^n} = \sum\limits_{i = 0}^n {{a_i}{x^i}}$$

Fig. 1. Scheme of multipath transmission of ciphertext fragments. A₀A₁: source path-address of a single user’s complete ciphertext, B₀B₁: destination path-address of a single user’s complete ciphertext, C₀C₁: source path-address of ciphertext fragments, D₀D₁: destination path address of ciphertext fragments, S₀S₁S₂S₃: control sequence for path-hopping, ⊕ is the symbol for the operation of XOR. PRNG: pseudorandom number generator.

Download Full Size | PDF

The communication parties need to agree in advance the internal connection state {a₀, a₁, a₂, …, a_n} and initial value {x₀, x₁, x₂, …, x_n} of the LFSR, and preserve and share the two sets of values as secret keys. To improve the security of communication, as the transmission continues, these values can be adjusted artificially based on actual factors such as the current network conditions, data volume, and communication duration; then the updated secret key is directly transmitted to the receiving end through the MTCF system to realize the synchronization and sharing.

After the user data is encrypted by the block cipher algorithm, the path allocation mechanism is implemented by two XOR operations under the control of S₀S₁S₂S₃. First, exchange the complete block ciphertexts among different paths; then distribute the ciphertext fragments among different paths randomly. It should be noted that the length of the ciphertext is fixed and determined by the block encryption algorithm in the first XOR operation, while fragment length in the second XOR operation can be controlled manually. In other words, the length of the ciphertext unit to be processed by the two XOR operations is different, which brings greater artificially controllable randomness and freedom to the system. Thus, without knowing the secret keys, it is very difficult for the eavesdropper to recover the original information.

The encryption and decryption block diagram of the proposed secure Internet-accessible MTCF scheme is illustrated in Fig. 2. The original data stream is firstly serial-to-parallel (S/P) transformed for SM4 encryption [21] in which the packet length and key length are both 128 bits, and then the output ciphertext is randomly distributed to different paths through the path allocation mechanism. Besides, before sending to the public network for transmission, the ciphertext fragments on each path need to be encapsulated into an Ethernet frame by adding information such as the source and destination IP address through the IP protocol stack module.

Fig. 2. Block diagram of data signal encryption and decryption process.

Download Full Size | PDF

Meanwhile, due to the difference especially the network latency among multiple paths, there may be some irregular time intervals when the data fragments transmitted via the public network arrive at the legal receiving end. To achieve data synchronization, we begin our efforts from two aspects: one is that the transmitter needs to add unique characters to the front end of the ciphertext fragments, the other is that the receiver needs to set up a flexible buffer to compensate for path differences. During transmission, the receiver keeps searching until the unique characters arrived. Moreover, the encryption algorithm is reversible, so the receiver only needs to carry out the reverse operation of the encryption process under control of the same PRBS to recover the valid data.

3. Experimental setup

A field experiment of 2 × 2 network MTCF communication system was carried out between Beijing and Xiongan, which is 125 kilometers apart. As shown in Fig. 3(a), each end has a computer, corresponding to the source of valid data to be transmitted between two communication parties. The operations of encryption and decryption were completed by two MTCF apparatuses (MTCFA), which are mostly consisted of a digital signal processing (DSP) chip, three small form-factor pluggable (SFP +) optical modules. And the two switches are mainly used to realize the conversion between optical signals and electrical signals. In order to reduce the complexity of the experiment, when the data of a single User1 is randomly allocated to one path, the other path is directly filled with random noise data which can actually be replaced with valid data from another user.

Fig. 3. (a) Schematic illustration for MTCF communication. (b) Experimental configuration at the Beijing end. (c) Experimental configuration at the Xiongan end. MTCFA: multipath transmission of ciphertext fragments apparatus.

Download Full Size | PDF

The optical spectrum of MTCF optical carriers was measured (Yokogawa AQ6370D). As shown in Fig. 4, there are three optical signals with different wavelengths, which means the user data originally transmitted by one wavelength carrier (λ₀) is changed into two wavelength optical beams (λ₁+λ₂) after the MTCFA. These wavelengths comply with the 100 GHz grid DWDM standard, and the measured value in the spectrometer has a slight deviation. Note that before user data is sent to the public network, through the IP protocol stack processing module, the specific wavelengths corresponding to the different transmission paths are bound to the specific source IP to destination IP link; in other words, while user data randomly hops between paths corresponding to different wavelengths, in fact, it also randomly makes choices between different IP links. And after being sent to the public network, the carrier wavelength of user data will no longer be under our control, and the data transmission will be completely handed over to IP addressing. Therefore, it is necessary to purchase four fixed IP addresses that support Internet access from the telecom operators in Beijing and Xiongan in advance to ensure the correct addressing of the data.

Fig. 4. The measured optical spectrum of MTCF optical carriers.

Download Full Size | PDF

4. Results and discussion

As shown in Fig. 5(a), the remote communication performance of the proposed MTCF system was examined by a Gigabit Ethernet Tester (Anritsu CMA3000) and a Network Master (Anritsu MT1000A). The frame loss rate for different line loads was measured by adopting the request for comment (RFC) 2544 benchmarking methodology. As can be seen from the Fig. 5(b), the overall frame loss rate of the system is relatively high especially for smaller frame sizes, and the maximum throughput without frame loss can reach 60 Mb/s. In the back-to-back experiment without access to the public network, the maximum throughput can reach 150 Mb/s, which is presented in Fig. 5(c).

Fig. 5. (a) Schematic set-up for measurement of MTCF communication. The measured frame loss rate for different line loads (b) between Beijing and Xiongan, (c) back-to-back.

Download Full Size | PDF

There are two main reasons for the relatively high frame loss rate: First, it is limited by the hardware platform, especially a large central processing unit (CPU) resource was occupied by the Linux embedded system used for protocol stack processing. An inspection of the data in Fig. 6(a) reveals that the CPU utilization was close to 100% when dealing with smaller frames. Second, the network environment fluctuates greatly, the maximum throughput without frame loss of pure lines is only 70Mb/s, which can also be seen from Fig. 6(b). It should be pointed out that once the frame structure is damaged, the tester will drop this frame no matter how large its size is, so the actual bit error rate (BER) is much lower than the frame loss rate. Compare to other PLS technologies such as quantum communication, chaotic optical communication, all-optical encryption, and OCDMA, the proposed MTCF scheme derived from optical frequency hopping technology has obvious advantages such as simple framework, robust scheme, easy to combine with application layer algorithms, especially its compatibility with the existing Internet, make it expected to gain more recognition as a technology complementary to traditional digital signal encryption.

Fig. 6. (a) The measured CPU utilization for different frame sizes. (b) The measured frame loss rate for pure lines between Beijing and Xiongan.

Download Full Size | PDF

Figure 7 presents the eye diagram in the back to back test, which is measured by a photodetector (PD) of SFP with a bandwidth of 10 GHz and a 70 GHz digital serial analyzer sampling oscilloscope (Tektronix DSA8300).

Fig. 7. Eye diagram of the proposed MTCF system.

Download Full Size | PDF

Since realistic eavesdropper may suffer from both finite computational power and limited capability in receiving and processing the communication signal, it is natural to consider a cross-layer hybrid method to security taking advantage of both technologies. Thus, the comprehensive evaluation of such a cross-layer MTCF system security needs to consider both the encryption algorithm in the application layer and the multipath transmission in the physical layer. The conventional encryption algorithm respects the prudent Kerckhoffs’s principle, that is, the security of an encryption system must only rely on the choices of the secret key, everything else including the algorithm itself should be considered public knowledge. In practice, each encryption algorithm has its own strong and weak points. We introduce the strength factor $\alpha \; $to describe the performance of the encryption algorithm, which can be seen as a single-valued function of multiple parameters, including encryption and decryption time, memory utilization, power consumption, entropy [22,23]. Accordingly, once the encryption algorithm is determined, the corresponding α ($\mathrm{\alpha }{\; } \in {\; [0,1]})\;$is also determined, which then can be regarded as a constant.

For the physical layer, user data can be thought of a collection of many minimum information units (MIU) with a length of M bits, corresponding to a character or a pixel in actual communication. As long as an eavesdropper can correctly acquire an MIU, information leakage occurs, so the security performance of the system can be characterized by the intercept probability P of a leak. Assume there are N communication links with a transmission rate of R, and the BER of eavesdropping channel is represented with ${P_e}$. And the ${P_e}$ is only related to the Q-factor [24], that is the electrical signal-to-noise ratio (ESNR) at the input of a receiver's decision circuit. Therefore, in an N-channel MTCF system where the length of the ciphertext fragment is m bits, the intercept possibility of an eavesdropper acquires an MIU through brute-force attacks can be expressed as

(2)$$\begin{aligned}{P_{intercept}} & = {e^{ - \alpha }} \cdot {(\frac{1}{N})^{\left\lceil {\frac{M}{m}} \right\rceil }} \cdot {(1 - {P_e}(Q))^M}\\ & \approx {e^{ - \alpha }} \cdot {(\frac{1}{N})^{\left\lceil {\frac{M}{m}} \right\rceil }} \cdot {(1 - \frac{1}{{\sqrt {2\pi } }} \cdot \frac{{{e^{ - \frac{{{Q^2}}}{2}}}}}{Q})^M} \end{aligned}$$

Where ⌈⌉ is the round-up symbol. For the sake of simplicity, we assume Q = 6 (corresponding P_e = 10⁻⁹) and M = 8 bits, system parameters include the length of the ciphertext fragment m and the number of communication links N form a two-dimensional key space. From Fig. 8(a), we can know that the intercept possibility P varies directly with the length m, and conversely with the links N. On the other hand, given M = 8 bits, m = 2 bits, N = 10, the intercept possibility P fluctuates with Q-factor and the strength factor $\alpha $. As shown in Fig. 8(b), the larger the Q-factor, the larger the possibility P, while the strength factor $\alpha $ is just opposite. In actual practice, on the one hand, we need to try to find an encryption algorithm with better encryption strength, that is, α should be as large as possible. On the other hand, since the Q-factor of the eavesdropper’s receiver is not actually controlled by the legal communication party, we can only try to increase the Q-factor of the legal party’s receiver as much as possible, so that the legal receiving channel could have a certain advantage over the eavesdropping channel, thereby improving the security of communication. Hence, the security performance of the system could, of course, be improved if these system parameters are deliberately adjusted.

Fig. 8. Simulation results of ${{P}_{\textrm{intercept}}}$under the condition of (a) ${N }\; \in {\; [1,30],\; m }\; \in {\; [1,8]}\; $bits (assuming $\mathrm{\alpha }{\; = \; 0,\; Q\; = \; 6}$) (b) ${Q }\; \in {\; (0,8]}$, $\alpha \; \in [{0,1} ]\; $(assuming ${N\; = \; 10,\; m\; = \; 2\; {\textrm{bits}}}$).

Download Full Size | PDF

From the perspective of statistics, an event with a probability of less than 0.01 can be regarded as a little probability event. In a general system under common conditions (M = 8bits, m = 1bit, N = 16, Q = 6, $\mathrm{\alpha }{\; = \; 0}\textrm{.5}$), ${\textrm{P}_{\textrm{intercept}}}$ is about 1.412 × 10⁻¹⁰ according to Eq. (2). Considering the high transmission rate R of the link, the eavesdropper's cracking time is limited, which makes it almost impossible to recover information without knowing the secret key.

The key space is often used as another indicator to measure the security performance of a communication system. Compared with the key space of the traditional digital signal encryption system, since the multipath transmission technology in the physical layer introduces more artificially controllable variables, the total key space of the proposed cross-layer system thus will be further expanded. For the SM4 block cipher algorithm with a key size of 128 bits, there are 2¹²⁸ possible keys. In terms of the path allocation mechanism, the key length is 128/m×⌈log₂N⌉, and the corresponding key space is 2^{128/m×⌈ log}₂^N^⌉. Therefore, the total key space of the MTCF scheme is 2¹²⁸×2^{128/m×⌈ log}₂^N ^⌉ = 2^{128+128/m×⌈ log}₂^N^⌉. Supposing m = 4 bits and N = 4, the key space is about of 2¹⁹² ≈ 6.277×10⁵⁷, which is huge enough to resist brute force cracking.

5. Conclusion

In conclusion, we have proposed and experimentally demonstrated a secure fiber-optic communication system based on Internet-accessible MTCF technology. By combining the optical PLS technology with the traditional digital signal encryption in the application layer, the total key space of the proposed hybrid system thus will be further expanded, thereby improving the security of communication. A field experiment over 125 km has been successfully undertaken, and the maximum throughput of 60 Mb/s demonstrates the feasibility of the scheme. We also established an intercept possibility model to analyze the security performance of the proposed system, and the results prove that it is sufficiently safe. In the next step, we will consider implementing the IP protocol processing module by a dedicated hardware circuit to increase the transmission rate. We hope the proposed scheme can pave the way for practical usage in long-distance secure communications.

Funding

Beijing Municipal Natural Science Foundation (4204112); National Key Research and Development Program of China (2019YFB2205302); State Key Laboratory of Optical Fiber and Cable Manufacture Technology (No. SKLD1804).

Acknowledgments

The authors wish to thank the anonymous reviewers for their careful reading and valuable suggestions.

Disclosures

The authors declare no conflicts of interest.

Data availability

Data underlying the results presented in this paper are not publicly available at this time but may be obtained from the authors upon reasonable request.

References

1. P. J. Winzer, D. T. Neilson, and A. R. Chraplyvy, “Fiber-optic transmission and networking: the previous 20 and the next 20 years [Invited],” Opt. Express 26(18), 24190–24239 (2018). [CrossRef]

2. Vinita, “A Comprehensive Review of Recent Advancement in Optical Communication Networks,” IJCSE 6(9), 617–626 (2018). [CrossRef]

3. R. Rejeb, M. S. Leeson, and R. J. Green, “Fault and attack management in all-optical networks,” IEEE Commun. Mag. 44(11), 79–86 (2006). [CrossRef]

4. M. Furdek, N. Skorin-Kapov, S. Zsigmond, and L. Wosinska, “Vulnerabilities and security issues in optical networks,” 16th International Conference on Transparent Optical Networks (ICTON), (2014).

5. Q. Kong and B. Liu, Security and Protection in Optical Networks (SpringerLink, 2018).

6. M. Bloch and J. Barros, Physical-Layer Security: From information theory to security engineering, Cambridge University Press, USA, (2011).

7. Y. L. Liu, H. H. Chen, and L. M. Wang, “Physical Layer Security for Next Generation Wireless Networks: Theories, Technologies, and Challenges,” IEEE Commun. Surv. Tutorials 19(1), 347–376 (2017). [CrossRef]

8. A. Argyris, D. Syvridis, L. Larger, V. Annovazzi-Lodi, P. Colet, I. Fischer, J. Garcia-Ojalvo, C. R. Mirasso, L. Pesquera, and K. A. Shore, “Chaos-based communications at high bit rates using commercial fibre-optic links,” Nature 438(7066), 343–346 (2005). [CrossRef]

9. R. Lavrov, M. Jacquot, and L. Larger, “Nonlocal Nonlinear Electro-Optic Phase Dynamics Demonstrating 10 Gb/s Chaos Communications,” IEEE J. Quantum Electron. 46(10), 1430–1435 (2010). [CrossRef]

10. K. Rauf, “Chaos Based Optical Communication,” Intern. J. Comp. Commun. Engin. 2, 97 (2013).

11. Z. Yang, L. L. Yi, J. X. Ke, Q. B. Zhuge, Y. P. Yang, and W. S. Hu, “Chaotic Optical Communication Over 1000 km Transmission by Coherent Detection,” J. Lightwave Technol. 38(17), 4648–4655 (2020). [CrossRef]

12. J. X. Ke, L. L. Yi, G. Q. Xia, and W. S. Hu, “Chaotic optical communications over 100-km fiber transmission at 30-Gb/s bit rate,” Opt. Lett. 43(6), 1323–1326 (2018). [CrossRef]

13. L. Wang, X. Mao, A. Wang, Y. Wang, Z. Gao, S. Li, and L. Yan, “Scheme of coherent optical chaos communication,” Opt. Lett. 45(17), 4762–4765 (2020). [CrossRef]

14. F. Cavaliere, E. Prati, L. Poti, I. Muhammad, and T. Catuogno, “Secure Quantum Communication Technologies and Systems: From Labs to Markets,” Quantum Reports 2(1), 80–106 (2020). [CrossRef]

15. D. E. Leaird, Z. Jiang, and A. M. Weiner, “Experimental investigation of security issues in OCDMA: a code-switching scheme,” Electron. Lett. 41(14), 817–819 (2005). [CrossRef]

16. N. Zhu, W. Chen, and J. Liu, “A Band New Security Mechanism of Fibre Communications - Lightwave Hopping Communication,” J. Network New Media 1(6), 70–72 (2012).

17. S. L. Wang, W. Chen, N. H. Zhu, J. G. Liu, W. T. Wang, and J. J. Guo, “A Novel Optical Frequency-Hopping Scheme for Secure WDM Optical Communications,” IEEE Photonics J. 7(3), 1–8 (2015). [CrossRef]

18. Q. Huang, D. Liu, Y. Chen, Y. Wang, J. Tan, W. Chen, J. Liu, and N. Zhu, “Secure free-space optical communication system based on data fragmentation multipath transmission technology,” Opt. Express 26(10), 13536–13542 (2018). [CrossRef]

19. D. Ban, N. Zhu, S. Xia, C. Zhang, Y. Chen, Y. Qi, Z. Liu, B. Xu, J. Sun, and W. Chen, “A Novel Optical Frequency-Hopping System Based on DFB Laser Integrated With an EA Modulator,” IEEE Photonics J. 11(6), 1–8 (2019). [CrossRef]

20. D. C. Ban, Q. C. Huang, Y. F. Chen, Y. C. Qi, W. Chen, and N. H. Zhu, “A Novel Optical Frequency-Hopping Scheme Based on a Flexible Structure for Secure Optical Communications,” IEEE Photonics J. 11(1), 1–7 (2019). [CrossRef]

21. SM4 Block Cipher Algorithm, on-line: http://www.gmbz.org.cn/upload/2018-04-04/1522788048733065051.pdf.

22. P. Patil, P. Narayankar, D. G. Narayan, and S. M. Meena, “A Comprehensive Evaluation of Cryptographic Algorithms: DES, 3DES, AES, RSA and Blowfish,” Procedia Comput. Sci. 78, 617–624 (2016). [CrossRef]

23. B. Bharathi, G. Manivasagam, and M. A. Kumar, “Metrics for performance evaluation of encryption algorithms,” Intern. J. Adv. Res. Sci. Engin. 6(3), 62–72 (2017).

24. G. Keiser, Optical Fiber Communications, 4th, McGraw-Hill Education, (2010).

Secure fiber-optic communication system based on Internet-accessible multipath transmission of ciphertext fragments

Abstract

1. Introduction

2. Principle

3. Experimental setup

4. Results and discussion

5. Conclusion

Funding

Acknowledgments

Disclosures

Data availability

References

Data availability

Cited By

Figures (8)

Equations (2)

Optics Express