I’ve been studying about MACsec, specifically static CAK mode. One thing that sticks out to me about this is that it appears the pre-shared key (CKN and CAK) are sent over the link in clear text, which are used to authenticate the remote end of the connection, then the key server sends keys over the link periodically. No challenge-hash for authentication or Diffie Hellman for key exchange? How is that secure? Maybe the documents I’ve been reading are over simplifying. Can anyone explain more thoroughly how MACsec does key exchange over the insecure link?
No comments:
Post a Comment