• State TI Thinks Resolved
  • Replies 6 replies
  • Answers 1 answer
  • Subscribers 33 subscribers
  • Views 102 views
  • Users 0 members are here
Support feedback
Options
Options
Related

Original question:

AM263P4: AM263P4 and MACSEC

DP83TC818S-Q1: PSK Configuration

Addison Audette
Prodigy 75 points
Part Number: DP83TC818S-Q1
Other Parts Discussed in Thread: AM263P4,

Tool/software:

We are considering using a the PHY - DP83TC818S-Q1 with an AM263P4 microprocessor but need to know if the DP83TC818S-Q1 PHY can be configured to use a Preshared Key for MACSec Encryption/Decryption. 

How would this implementation work - how would we set the key in the PHY (where would it be stored) and how would we configure the PHY to use that Key?

  • 0
    TI__Mastermind 18950 points

    Hi Addison, 

    Could you clarify what you mean by a "preshared key"? I'm not very familiar with that term from the IEEE specification or our internal materials. I found some online documentation from enterprise vendors saying that a preshared key is a combination of the CKN and CAK, which would be the information needed for the first step of mutual key authentication before the MACsec channel opens up. To my knowledge, the CKNs and CAKs are held by the MACs themselves and not the PHYs because the purpose of the the connectivity association is to verify the identities of the participating MAC devices. Do you have a different meaning from this or do you have material suggesting that the CKN/CAK should be held by the PHYs? Happy to look into the topic if there's any confusion.

    At the PHY level, there is internal memory set aside for holding keys and other information related to the secure channel. These keys would be SAKs for encoding data that can be programmed in batches by an external controller, and cycled through upon expiry, but I don't think these are related to the "preshared key" term. 

    If you've noticed that the PHY datasheet doesn't elaborate on MACsec, it's because we have a separate programmer's manual that explains exactly how the MACsec programming for the PHY specifically can be done. Because it's a very detailed description of the internal systems, we normally only distribute the manual to customers when they have decided to move forward with the TI PHY and are ready to start driver development.

    Best,

    Evan Su

  • 0 in reply to Evan Su
    Prodigy 75 points

    Thank you for your response. Yes I believe you are right with "pre-shared key is a combination of the CKN and CAK". So therefore based on your response - the SAK is generated by the MAC and passed to the PHY - but when would those keys be passed to the PHY? Would the SAK be passed encrypted by the KEK or would the encryption using the KEK happen in the PHY?

    Also who should we get in contact with to request the programmers manual that explains how the MACsec programming for the PHY can be done. My team is working with the AM263P board and will be integrating the DP83TC818S-Q1 once we can fully verify that it can be used with our intended functionality. 

  • 0 in reply to Addison Audette
    TI__Mastermind 18950 points

    Hi Addison,

    Addison Audette said:
    So therefore based on your response - the SAK is generated by the MAC and passed to the PHY - but when would those keys be passed to the PHY? Would the SAK be passed encrypted by the KEK or would the encryption using the KEK happen in the PHY?

    Sorry, can you clarify what you mean by "KEK"?

    My understanding is that the SAKs can be programmed into the PHY by the MAC or another controller at any time, as long as there's space in the PHY's reserved memory. This can be done in linked batches, so that when the current key expires, the next key can be switched to automatically. If the SAKs are not replenished over time and they run out, it would be necessary to program new SAKs to resume secure communication.

    Addison Audette said:
    Also who should we get in contact with to request the programmers manual that explains how the MACsec programming for the PHY can be done. My team is working with the AM263P board and will be integrating the DP83TC818S-Q1 once we can fully verify that it can be used with our intended functionality. 

    You can go through us (Ethernet applications team) on this forum or this thread when you're ready to make a decision.

    Best,

    Evan Su

  • 0 in reply to Evan Su
    Prodigy 75 points

    The Key Encryption Key (KEK) is generated by the CAK and is used to encrypt the SAK to send it over to the 'other device on the other end of the line' as apart of MACSec.

    Also we have decided to progress with the PHY DP83TC818S-Q1. Can you assist us with progressing forward and attaining the programming manual?

  • 0 in reply to Addison Audette
    TI__Mastermind 18950 points

    Hi Addison,

    Sure, I'll get in touch with my team about the manual. If you'd like to talk in private messages, you can accept the E2E friend request I just sent. Alternatively I can reach out through your email contact, it might be easier to track the conversation that way.

    Best,

    Evan Su

  • 0 in reply to Evan Su
    Prodigy 75 points

    Just accepted the friend request! Thank you!