KR-20260064570-A - APPARATUS FOR PROTECTING DATA AND METHOD FOR PROTECTING DATA

Abstract

An apparatus and method for protecting data frames at the transmission side of a frame-based communication link are described. The apparatus includes a cryptographic suite module. The cryptographic suite module receives a data frame and, if the data frame is a priority data frame, protects the data frame based on a first cryptographic key, and if the data frame is a non-priority data frame, protects the data frame based on a second cryptographic key. A non-priority data frame is a data frame whose transmission can be interrupted by a data frame that is a priority data frame. After protecting the data frame, the cryptographic suite module provides the protected data frame for transmission over the frame-based communication link.

Inventors

• 마드뮐러, 크리스티안
• 벨리츠, 토비아스

Assignees

• 르네사스 일렉트로닉스 가부시키가이샤

Dates

Publication Date

20260507

Application Date

20251027

Priority Date

20241030

Claims (20)

1. As a device for protecting data frames for a frame-based communication link, A cipher suite module configured to receive the above data frame The encryption suite module is further configured to protect the data frame based on a first encryption key when the data frame is a priority data frame, and to protect the data frame based on a second encryption key when the data frame is a non-priority data frame, wherein the non-priority data frame is a data frame whose transmission can be interrupted by the data frame that is the priority data frame; A device in which the above-mentioned cryptographic suite module is further configured to provide a protected data frame for transmission over the above-mentioned frame-based communication link.
2. In claim 1, protecting the data frame based on the first encryption key when the data frame is a priority processing data frame, and protecting the data frame based on the second encryption key when the data frame is a non-priority processing data frame is: A device comprising adding an integrity value to the data frame using the data frame and the first encryption key when the data frame is a priority processing data frame, and adding an integrity value to the data frame using the data frame and the second encryption key when the data frame is a non-priority processing data frame.
3. In paragraph 2, protecting the data frame based on the first encryption key when the data frame is a priority processing data frame, and protecting the data frame based on the second encryption key when the data frame is a non-priority processing data frame is: A device further comprising encrypting the data frame using the first encryption key when the data frame is a priority processing data frame, and encrypting the data frame using the second encryption key when the data frame is a non-priority processing data frame.
4. In paragraph 1, The above frame-based communication link is a wired communication link, a device.
5. In paragraph 4, The above frame-based communication link is an Ethernet communication link, and the device is a Media Access Control Security (MACsec) device on the transmitting Ethernet side; The above data frame is an Ethernet data frame, the above priority data frame is an express data frame, and the above non-priority frame is a preemption data frame; A device in which the first encryption key belongs to the first Security Channel (SC) and the second encryption key belongs to the second SC.
6. In paragraph 5, A device configured such that the above-mentioned cryptographic suite module receives the data frame from the transmission queue of the transmission side of the frame-based communication link.
7. In paragraph 6, The above device further includes a classification module and an SC configuration module; The above classification module is configured to receive priority information of the data frame from the transmission queue; The classification module is additionally configured to classify the data frame into a priority processing data frame or a non-priority processing data frame based on the priority information; The above classification module is additionally configured to provide the classification result to the above SC configuration module; A device configured such that the above SC configuration module selects an SC based on the above classification result and provides the SC to the above cryptographic suite module to protect the above data frame.
8. In paragraph 4, Providing the protected data frame for transmission includes providing the protected data frame to an Ethernet MAC module, wherein the device includes the Ethernet MAC module, or the Ethernet MAC module is connected to the device.
9. As a device for verifying data frame ordering for a frame-based communication link, Packet Number Handling Module The packet number handling module is configured to receive priority information of a received data frame, wherein the priority information indicates whether the received data frame is a priority data frame or a non-priority data frame, and the non-priority data frame is a data frame whose transmission can be interrupted by a data frame that is the priority data frame; The above packet number handling module additionally: Receive the packet number of the received data frame above; If the above priority information indicates that the received data frame is a priority processing frame, Compare the above packet number with the priority processing packet counter and the common packet counter; Based on the above comparison, maintain or update the priority processing packet counter and the common packet counter, or instruct the disposal of the received data frame; If the above priority information indicates that the received data frame is a non-priority processing frame, Compare the above packet number with the non-priority processing packet counter, the priority processing packet counter, and the common packet counter; Based on the above comparison, maintain or update the priority packet counter, the non-priority packet counter, and the common packet counter, or instruct to discard the received data frame. A device configured.
10. In Paragraph 9, The above frame-based communication link is a wired communication link, a device.
11. In Paragraph 10, The above frame-based communication link is an Ethernet communication link, and the device is a Media Access Control Security (MACsec) device on the receiving Ethernet side; A device in which the above data frame is an Ethernet data frame, the above priority data frame is an Express data frame, and the above non-priority data frame is a preempted data frame.
12. In Paragraph 9, Compare the above packet number with the priority processing packet counter and the common packet counter; Based on the above comparison, maintaining or updating the priority processing packet counter and the common packet counter, or directing the disposal of the received data frame is: If the above packet number is greater than or equal to the above priority processing packet counter and the above common packet counter, the above priority processing packet counter and the above common packet counter are updated, and If the above packet number is smaller than the minimum packet number of the priority window extending in a descending direction starting from the priority packet counter, or is smaller than the minimum packet number of the common window extending in a descending direction starting from the common packet counter, maintain the priority packet counter and the common packet counter and instruct to discard the received data frame. Including; Compare the above packet number with the non-priority processing packet counter, the priority processing packet counter, and the common packet counter; Based on the above comparison, maintaining or updating the priority packet counter, the non-priority packet counter, and the common packet counter, or directing the discarding of the received data frame is: If the above packet number is greater than or equal to the above non-priority processing packet counter, the above common packet counter, or the above priority processing packet counter, update the above priority processing packet counter, the above non-priority processing packet counter, or the above common packet counter, and If the above packet number is smaller than the minimum packet number of the non-priority window that starts from the non-priority processing packet counter and continues in descending order, or is smaller than the minimum packet number of the common window, the priority processing packet counter, the non-priority processing packet counter, and the common packet counter are maintained, and the received data frame is discarded. A device including that.
13. In Paragraph 12, A device in which the sizes of the priority processing window and the non-priority processing window are 0, and the size of the common window is greater than 0.
14. In Paragraph 11, The above packet number handling module receives the priority information from the Ethernet MAC module, and the device includes the Ethernet MAC module, or the Ethernet MAC module is connected to the device.
15. In Paragraph 14, The above device further includes a decryption module; A device wherein the decoding module is configured to decode the received data frame when the received data frame is not discarded, the received data frame is received from the Ethernet MAC module, and the decoding of the received data frame is based on a pre-negotiated security association (SC).
16. In paragraph 15, A device in which the aforementioned pre-negotiated SC is negotiated based on a MACsec Key Agreement (MKA) with the Ethernet transport side.
17. In Paragraph 16, The above-mentioned pre-negotiated SC is a device consisting of a single SC.
18. In paragraph 15, A device in which the above decoding module is further configured to transmit the decoded received data frame to the receiving queue of the frame-based communication link.
19. As a method, A method for performing protection of a data frame using a device according to paragraph 1.
20. As a method, A method for performing verification of data frame ordering using a device according to paragraph 9.

Description

Apparatus for protecting data and method for protecting data Cross-reference regarding related applications The disclosure of German patent application No. 10 2024 131 700.0 filed on October 30, 2024, including the specification, drawings and abstract, is incorporated herein by reference in its entirety. The present disclosure relates to frame-based communication, and more specifically to a combination of security and preemption technologies for frame-based communication. In the case of frame-based communication, latency as well as security needs to be considered individually or in combination, depending on the use case. However, security and latency requirements can conflict with each other, or it may be difficult to satisfy both requirements simultaneously. For example, in the case of Ethernet, security at the data link level is provided by Ethernet Media Access Control Security (MACsec). (MACsec) MACsec is a security protocol designed to provide secure communication over Ethernet networks by protecting data at the data link layer (Layer 2). Defined in the IEEE 802.1AE and IEEE 802.1X standards, MACsec provides key features such as data confidentiality, integrity, and authentication. This ensures that communication between directly connected devices, such as switches, routers, and end-user devices, is protected from various threats, including unauthorized access, eavesdropping, replay attacks, and data tampering. MACsec operates by using cryptographic techniques to encrypt and authenticate Ethernet frames, preventing attackers from intercepting or altering data in transmission. It supports point-to-point encryption, which means it secures data on a hop-by-hop basis across network devices, making it ideal for local area networks (LANs), data center environments, enterprise networks, industrial environments, and automotive environments. Specifically, MACsec prevents replay attacks by including a packet numbering mechanism and a replay protection window in its security architecture. At the transmitting side, a unique sequential number called the Packet Number (PN) is assigned to every Ethernet frame using MACsec. This number increases for each frame transmitted from a given node. The PN is included in the frame's security tag (SecTAG), which is part of the MACsec header. Since the PN is unique and always increments, it is guaranteed that each transmitted frame can be uniquely identified by the receiver. Additionally, the receiving device maintains a sliding window of acceptable PNs for incoming frames. If a frame arrives with a PN outside this window—indicating that it is too old or has already been processed—the frame is discarded. This ensures that frames replayed or delayed by an attacker are rejected because their PNs fall outside the expected range. To achieve complete replay protection, the window size can be set to zero. In other words, data frames are accepted only if they arrive sequentially, i.e., if the PNs are in ascending order. By combining packet numbering and replay protection window mechanisms, MACsec ensures that only legitimate and new frames are accepted, which effectively prevents attackers from capturing and replaying old frames to disrupt communications or impersonate a legitimate sender. In addition, to protect data frames, two key concepts in MACsec, namely the Secure Channel (SC) and the Secure Association (SA), are used. A SC is a logical connection established between two or more MACsec-enabled devices, typically peers such as switches or hosts, through which secure communication occurs. The SC forms the basis of the MACsec security model by ensuring that all communication between devices is protected under the same security policy. Within an SC, Ethernet frames are protected using encryption and integrity checks, making eavesdropping or tampering difficult. A single SC can have multiple SAs that manage the actual cryptographic operations. Therefore, the SA is responsible for the cryptographic parameters (e.g., encryption keys and algorithms) used within the SC to protect Ethernet frames. For the sake of simplification, the following description will primarily refer to SCs, even if functionality is related to SAs. (Preemption) Additionally, Ethernet preemption was introduced to meet specific latency requirements. Ethernet preemption is a technique defined in the IEEE 802.1Q-2022 standard designed to improve the efficiency and predictability of Ethernet networks, particularly in time-sensitive applications. Ethernet preemption allows a high-priority frame to interrupt the transmission of a low-priority frame, enabling urgent data to be transmitted with minimal delay. Once the high-priority transmission is complete, the low-priority frame resumes from where it left off, ensuring that no data is lost during the preemption process. These characteristics are essential for applications requiring low-latency communication, such as industrial automation, autonomous vehicles, communication