MACsec Intel® FPGA System Design User Guide

ID 767516
Date 3/31/2024
Public
Document Table of Contents

6.1. MACsec Key Agreement Protocol

The 802.1X standard is a Port-Based Network Access Control Protocol that provides an authentication mechanism for LAN and wireless LAN. The third edition, IEEE Std 802.1X-2010, added authenticated key agreement supporting IEEE Std 802.1AE (MACsec).

MAC Security Key Agreement protocol (MKA -IEEE 802.1X REV-2010) is used for discovering MACsec peers and negotiating keys.

MKA key hierarchy:

The root of the key hierarchy for any given instance of MKA is the Secure Connectivity Association Key (CAK). For every MACsec potential peer of the same LAN, the possession of the same CAK for the connectivity association is a must.

A CAK can be obtained in the below ways:
  • It can be a pre-shared key (PSK).
  • Or it can use EAP for automatic CAK management.

Each CAK is identified by a secure Connectivity Association Key Name (CKN) that allows each of the MKA participants to select which CAK or CAK-derived key, to process a received MKPDU.

Every key used by MKA is derived from the CAK. MKA does not use this CAK directly, it derives two further keys, namely:
  • The ICV Key (ICV): It is used to verify the integrity of MPDUs and to prove that the transmitter of the MKPDU possesses the CAK.
  • The Key Encrypting Key (KEK): It is used by Key Server which is elected by MKA, to transport a succession of Secure Association Keys (SAKs) to the other members of a Connectivity Association (CA).

The Key Server uses these ICK and KEK to transport/distribute the SAKs. Here, a Key Server is elected based on the lower priority among the peers.

MKA transport with pre-shared Key:
Figure 31. MKA Transport with PSK

Pre-shared keys (CAK) are configured on MACsec enabled devices. Once peer authentication is done, Connectivity Association is formed between the peers. Further, the peers exchange CKN and validate ICV with the pre-shared keys.

Key sever election takes space based on the priority and it generates and distributes SAKs. Peers then use these SAKs to encrypt the data traffic and forwards it over the protected link.