In my blog late last year, we discussed that the recent advances and attention given to quantum computing have raised security concerns among IT professionals. The ability of a quantum computer to efficiently solve (elliptic curve) discrete logarithm, and integer factorization problems poses a threat to current public key exchange, encryption, and digital signature schemes. Such algorithms are widely used in protocols and products that offer encryption like IKEv2/IPsec, MACsec, and TLS.

Most encryption protocols would require the introduction of post-quantum algorithms in their key exchange and authentication mechanisms to become quantum-resistant. Many vendors like Cisco, Microsoft, Cloudflare, Google, AWS and the IETF have been looking into adding quantum-resistance into protocols.

Not all protocols are doomed from the get-go though. As explained in our PQ MACsec Whitepaper, Media Access Control Security (MACsec) is a protocol that, when configured with the correct parameters and authentication methods, can offer quantum-resistant authenticated encryption of traffic. MACsec is an IEEE 802.1AE standards-based Layer 2 hop-by-hop encryption protocol that provides data confidentiality and integrity for media access (MAC) independent protocols over wired networks by using out-of-band methods for key establishment. Before establishing a MACsec secure session, the MACsec Key Agreement (MKA) protocol is used as the control protocol. MKA selects the ciphersuite to be used for encryption and to exchange the required keys and parameters between peers. MKA uses Extensible Authentication Protocol over LAN (EAPoL) defined in IEEE 802.1X as the transport protocol to transmit MKA messages that distribute the keys. MKA provides authentication using a pre-shared key (PSK) or the 802.1X Extensible Authentication Protocol (EAP) and EAP-Transport Layer Security (EAP-TLS) framework.

The MKA/MACsec key hierarchy includes a Connectivity Association Key (CAK) established by a key agreement method (or out-of-band configuration). A Security Association (SA) defines a security relationship between members of the association. An SA is secured with a Security Association Key (SAK), forming a Secure Channel (SC). A SAK is cryptographically derived from a CAK or randomly generated by the MKA key server. SAKs are distributed to the peers by the key server using MKA messages in destination multicast MAC address EAPoL Protocol Data Units. These MKA messages carrying MACsec encryption keys are cryptographically encrypted using a Key Encryption Key (KEK) and authenticated with an Integrity Check Key (ICK), which is derived from the CAK.

To configure quantum-secure MACsec, we essentially need to configure

  • 256-bit PSKs in each peer with at least 256 bits of entropy.
  • 256-bit AES-CMAC as a KDF in counter mode for deriving the SAK, KEK, and ICK keys.
  • 256-bit AES-GCM as the MACsec data authenticated encryption algorithm.

Note that using EAP-TLS as the 802.1X EAP method to authenticate the MACsec peers and generate the master-secret utilized to derive the other keys cannot be considered quantum secure until TLS supports PQ key exchange.

For more details on configuring post-quantum MACsec tunnels in Cisco platforms, refer to our PQ MACsec Whitepaper.

For additional resources, visit trust.cisco.com.


Panos Kampanakis

Product Manager

Security & Trust Organization