sign in sign up
<<
Home , IPsec, Mutual authentication

SECURE NETWORKING 101 MACsec, IPsec, and SSL Basics 2

INTRODUCTION

This document is a basic introduction to the most common secure protocols in network communications.

THE COMMON CONCEPTS

MACSec, IPsec, and SSL/TLS protocols have similar concepts and consist of two “planes” : • The “control plane” which is a management layer used for the management of the secure protocol itself ( of the parties, establishment and rotation, etc.) • The “data plane that protects the upper protocol data which conveys the useful information (payload) in a secured way.

All these protocols provide secure services – in the scope of their layer: • (optional). Each party securely identifies the other party (peer). a. The credentials used for authentication are quite flexible, it can be pre-shared keys, , or PKI-based, etc. • Integrity. All information that is sent on one side is guaranteed to be delivered unmodified at the other side. • Confidentiality (optional). All payloads are encrypted so that a 3rd party with access to the network would not able to understand it. • Anti-replay. Prevents interception and modification of payload between the 3

source and destination. Ensures invalid payloads are discarded. • Non-repudiation. Ensures that a transferred message has been sent and received by the parties claiming to have sent and received it.

MACSEC

MACsec is a “” protocol which works on a local network scale –point to point. It protects the link between network equipment, e.g. between a laptop and a switch, or between two switches. The control plane is IEEE 802.1X that is also commonly used for WiFi networks. This protocol allows the control of access to the network: only authenticated peers are able to get connectivity. The data plane is IEEE 802.1AE and is a simple protocol based on with AES- GCM of the packets. • When MACsec is in use, only authenticated peers are able to connect to the network. • All local attacks that “trick” switches and routers to redirect network traffic to attacker machines do not work if MACsec is enabled. • MACsec is the wired equivalent of WPA2 in WiFi networks. • MACsec is invisible to the application. It encrypts all traffic without the end point application being aware. A typical use case for MacSec would be to secure the connection between an IP phone in a user’s office to the corporate phone server onsite. 4

IPSEC

IPsec is a “” protocol, it works between any two peers participating in an IP network such as the , regardless of how those peers are connected (via many routers, different types of links, etc). • The control plane is IKE or IKEv2 (). • The data plane is IPsec. • This protocol is typically used for VPN, (peer to network, or network to network) • It is a very complex protocol with tons of variants and options. • IPsec is invisible to the application. It encrypts all traffic without the end point application being aware. A typical use case for IPsec is a VPN client on a mobile device connecting to a VPN server in the enterprise to allow employees are away from the office to connect to company resources securely and to authenticate that the users are allowed to connect. Another use case would be to connect a remote office to a common company intranet.

SSL / TLS / DTLS

SSL, TLS, and DTLS are “” protocols. They work between two endpoints (in general it means one application running on one host). They provide security directly to the endpoint. TLS () is the replacement for SSL (Secure Sockets Layer), previous versions of SSL are deprecated and potentially have security issues. TLS requires a reliable transport protocol and typically runs over TCP. DTLS ( Transport Layer Security) is based on TLS and adapted to run over 5

UDP (unreliable transport). Those protocols themselves contain several layers that deal with both the control plane and data plane. • SSL/TLS is typically used for application-specific security. For example using ://... The reason is that the credentials of the secure protocols can be bound to the application itself. • In terms of architecture and software implementation, these protocols do not require the user to modify the kernel to implement. However they do require integration into user application(s) as these are not implemented at the system level. • An application can specify encryption and authentication parameters for each host it needs to contact. A typical use case for SSL/TLS is using a web browser (ssl client) to connect to a secure website through https from a public network. Another use case is connecting through a web browser to a routers web based management console. A DTLS use case would be encrypting VOIP traffic, the data is sent in real time and packet loss wouldn’t invalidate the entire connection. The DTLS protocol would keep the connection open and there would be a slight degradation in the call audio corresponding to the bad data.

INSIDE SECURE OFFERINGS

Inside Secure offers Semiconductor IP and software stacks implementing high performance SSL, TLS, DTLS, IPsec, and MACsec. Inside Secure’s MACsec solution contains the SW stack and corresponding HWIP for both the control and data planes. The included reference data plane implementation may be replaced during integration on a customer’s platform for performance & power consumption considerations. Inside Secure’s QuickSec IPsec solution provides both control and data plane implementations as well. 6

Inside’s SW implementation is efficient for the data plane but can also integrate with accelerated hardware for high performance. Inside’s Quicksec IPsec is the clear market leader supporting a large variation of networking hardware. The software control plane can also use various HW modules for enhanced authentication including SSL. Inside Secure’s MatrixSSL implements the SSL/TLS protocol and has been integrated with our HWIP. MatrixSSL has a generic PKCS #11 interface which can be used to integrate with common hardware implementations. Inside Secure’s SafeZone FIPS library is a FIPS certified cryptography library available for use with IPsec, SSL, or for standalone secure applications.

ABOUT INSIDE SECURE

Inside Secure provides comprehensive embedded security solutions. World-leading companies rely on Inside Secure’s mobile security and secure transaction offerings to protect critical assets including connected devices, content, services, identity and transactions. Unmatched security expertise combined with a comprehensive range of IP, semiconductors, software and associated services gives Inside Secure customers a single source for advanced solutions and superior investment protection. Inside SECURE sells : • semiconductor hardware solutions that, in particular, integrate secure microcontrollers and electronic solutions enabling secure data storage • software, particularly embedded software providing the secure management and communication of data as well as cryptography algorithms • intellectual property blocks that its customers integrate into the semiconductor platforms of its customers These solutions rely on Inside’s know-how in terms of analog and digital semiconductor design and embedded software, as well as its expertise in the software design of security and certification applications. 7

Inside Secure is the only market player simultaneously offering hardware-only-based solutions (based on secure microcontrollers), software-only-based solutions, and a combination of both hardware and software, in addition to a broad intellectual property solutions portfolio.

FOR MORE INFORMATION

http://www.insidesecure.com

Inside Silicon IP : http://www.insidesecure.com/Markets-solutions/Enterprise-Security-and-Secure- Access/Enterprise-Security-Solutions-for-SoC

Inside Protocol Security toolkits : http://www.insidesecure.com/Products-Technologies/Protocol-Security-Toolkits

Inside FIPS Certified cryptography library : http://www.insidesecure.com/Markets-solutions/Payment-and-Mobile-Banking/ SafeZone-FIPS2 8

NETWORK LAYERS

Inside Secure offers hardware IP and software stacks implementing high performance SSL, TLS, DTLS, IPsec, and MACsec. 9 10