Enforcing encryption on an Ethernet network at the hardware level.
By Dana Neustadter and Jerry Lotto
There is an ever-increasing demand for bandwidth, driven by an exponential growth in the number of devices connected to the cloud and a broadening variety of sensors, applications, and services, resulting in an explosion of data traffic. This in turn, drives the proliferation of high bandwidth interfaces such as Ethernet, PCIe/CXL, and DDR to sustain faster data movement and increased processing and storage capacities. End-to-end data security in the connected ecosystem is more critical than ever, including when data is at rest and when it is in motion, both as it is communicated between devices and the cloud and while it is processed or stored in a device.
Ethernet-connected devices, like computers, servers, hubs, routers, and more, are expanding in every direction, including high performance computing, 5G, mobile and automotive markets, all requiring security. Security on the internet or any other Ethernet network depends on encryption. The more encryption is used, the harder it is for attackers to steal data, eavesdrop on communications, and/or compromise systems.
There are many reasons to encrypt Ethernet traffic. Compliance is one of the most common and may involve one or more standards for the treatment of sensitive or personally identifiable data. Examples of such standards are defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA) in the US or the analogous European General Data Protection Regulation (GDPR). For institutions that obtain and use data on children, rules defined in the Family Education Rights and Privacy Act (FERPA) may also apply. Failure to comply with applicable standards can result in significant penalties even if a data breach does not occur.
Data theft is not only the domain of regulated content – any research, intellectual property, proprietary data, or code is potentially a target for theft or malicious alteration. Intrusion detection and prevention starts with ensuring privacy for exchanging account credentials and sensitive or valuable data. Source validation and authentication services are a critical element of this infrastructure, not all breaches occur from outside of an organization, and rights-based data management depends critically on safe (private and reliable) identity validation.
The primary security standard to secure Ethernet traffic is Media Access Control Security (MACsec). MACsec provides data security in motion between Ethernet-connected devices and protects network communication against DoS attacks, eavesdropping, and man-in-the-middle attacks.
MACsec is an established protocol based on AES-GCM cryptography that secures the data link layer (where communication begins) by providing confidentiality, data integrity, data origin authenticity, and replay protection.
Security on the internet or any other Ethernet network depends on encryption, for the privacy of communication and integrity and authentication using shared authenticated keys. There are several different ways to encrypt ethernet traffic, and they occur at different layers in the OSI stack on which it is based:
Setting up a MACsec encrypted connection involves five steps:
MACsec hardware encryption also provides the lowest latency security as compared to options implemented at higher layers of the OSI stack.
Synopsys MACsec Security Modules secure Ethernet traffic against denial-of-service (DoS) attacks, eavesdropping, and man-in-the-middle attacks by supporting confidentiality, integrity, origin authentication, and replay protection in switch, router, and bridge SoCs for cloud computing, 5G, mobile and automotive applications.
They are standards-compliant full-duplex solutions that integrate seamlessly with Synopsys Ethernet MAC & PCS IP, supporting scalable data rates with optimal latency, network prioritization, and diversity for a range of secure Ethernet connections. Figure 1 depicts the Synopsys Ethernet solution with Synopsys MACsec Module offering that enables system-on-chip (SoC) designers to quickly integrate security in their system for a fast time-to-market and reduced risk.
Fig. 1: Synopsys Ethernet Security Solutions block diagram.
With the Synopsys MACsec Security Modules, designers can take advantage of:
Data retention policies vary worldwide; even some government actors will try to impose access or retention rights to data under surveillance, ownership, oversight policy, or legislation. It is not sufficient protection to encrypt data only at rest. The use of multiple layers of network encryption might be necessary to ensure privacy and integrity, traversing unknown and uncontrolled elements of internet infrastructure. Zero-day vulnerabilities, malware, and viruses can easily threaten without the validation and protection offered by encryption techniques.
The main security standard to secure Ethernet traffic is MACsec, which provides data security in motion between Ethernet-connected devices. The pre-shared key used in the first step of MACsec negotiation can prevent non-trusted devices from successfully connecting to a secured Ethernet fabric. Computing on shared infrastructure further complicates this challenge – unless you can verify a connection is secured, don’t trust it!
By adding Synopsys MACsec Security Modules to Synopsys Ethernet IP Solutions, designers of networking SoCs can protect high-speed network traffic, enabling end-to-end security of data in motion between Ethernet-connected devices.
Learn more about enabling the highest levels of SoC security with Synopsys Secure Interfaces.
Jerry Lotto is a senior technical marketing manager for HPC at Synopsys.
Leave a Reply