NanoSec
DigiCert TrustCore SDK NanoSec is an integrated certificate management solution. It uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private network.
NanoSec provides flexibility for many IPsec/IKE configurations, but typical applications generally fall into one of four use cases:
Host-to-Host: Two peer machines communicate securely at the IP layer level.
VPN via IPsec tunnel: Client and host machines communicate securely using VPN by implementing a secure IPsec tunnel.
MOBIKE: One peer has a fixed address while the other peer’s address is changing due to mobility or an interface change.
Multicast: One broadcaster machine securely sends information (through a router) to multiple receivers (clients).
NanoSec also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). TrustCore SDK API functions that are related to NSA Suite B cryptography are available only if NanoCrypto has been purchased. By default, only NanoCrypto Basic is included.
Features
TrustCore SDK NanoSec provides features beyond open-source IPsec implementations, including:
Small memory footprint
Complete IPsec & IKEv1/v2 solution with certificate management
Speeds integration & testing of IPsec and certificate management
Full NIST USGv6 compliant implementation of IETF IPsec version 3
Synchronous and asynchronous threadless architecture
Support for user and kernel space IPsec stack
Support for EAP methods (as authenticator or supplicant) GTC, LEAP, MD5, MSCHAPv2, PSK, SIM/AKA, SRP, TLS, RADIUS Pass-Through (as authenticator only)
Callback to retrieve username and password
Support for NAT Traversal (NAT-T)
VPNC certified (basic and AES interoperability)
RSA token support (IKEv2 only) for EAP GTC authentication of IKE peers.
Support for EAP (IKEv2 only)
Support for IPv6
Support for PFKEY
Support for MOBIKE (IKEv2 only)
XAUTH client for using legacy authentication mechanisms
OS- and platform-agnostic for easy portability
Guaranteed GPL-free code that protects intellectual property
Supported standards
NanoSec supports the following RFC standards:
RFC 2367: PF_KEY Key Management API, Version 2
RFC 2401/4301: Security Architecture for the Internet Protocol
RFC 2402/4302: IP Authentication Header
RFC 2403: The Use of HMAC-MD5-96 within ESP and AH
RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH
RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV
RFC 2406/4303: IP Encapsulating Security Payload (ESP)
RFC 2407: The Internet IP Security Domain of Interpretation for ISAKMP
RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP)
RFC 2409: The Internet Key Exchange (IKE)
RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec
RFC 2451: The ESP CBC-Mode Cipher Algorithms
RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile
RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)
RFC 3566: The AES-XCBC-MAC-96 Algorithm and Its Uses With IPsec
RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec
RFC 3686: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)
RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements
RFC 3748: Extensible Authentication Protocol (EAP)
RFC 3947: Negotiation of NAT-Traversal in IKE
RFC 3948: UDP Encapsulation of IPsec ESP Packets
RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)
RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)
RFC 4306: Internet Key Exchange (IKEv2) Protocol
RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)
RFC 4308: Cryptographic Suites for IPsec
RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)
RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol
RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH
RFC 4555: IKEv2 Mobility and Multihoming
RFC 4718: IKEv2 Clarifications and Implementation Guidelines
RFC 4739: Multiple Authentication Exchanges in the Internet Key Exchange (IKEv2) Protocol
RFC 4753/5903: ECP Groups for IKE and IKEv2
RFC 4754: IKE and IKEv2 Authentication Using ECDSA
RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2
RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)
RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec
RFC 4869/6379: Suite B Cryptographic Suites for IPsec
RFC 4894: Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec
RFC 5114: Additional Diffie-Hellman Groups for Use with IETF Standards (sections 2.3-2.8, 3.2)
RFC 5685: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 5998: An Extension for EAP-Only Authentication in IKEv2
RFC 6380: B Profile for Internet Protocol Security (IPsec)
RFC 6407: The Group Domain of Interpretation
RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)
RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation
RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)
RFC 8031: Curve25519 and Curve448 for IKEv2
RFC 8420: EdDSA in IKEv2
RFC 8784: Mixing Preshared Keys in the IKEv2 for Post-Quantum Security
ModeConfig: draft-dukes-ike-mode-cfg-02.txt
XAUTH: draft-ietf-ipsec-isakmp-xauth-06.txt
IKEv1 fragmentation See https://msdn.microsoft.com/en-us/library/cc233458.aspx.
OCSP: Integrated with IKE for Online Certificate Status verification
System requirements
Memory requirements
NanoSec/IPSec has a minimum memory footprint of 21KB1. NanoSec/IKE has a minimum memory footprint of 186KB1.
Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.
1Estimate based on Intel x86 builds.
Supported pperating systems
NanoSec is supported out-of-the-box on the following operating systems:
Linux (Ubuntu, Debian, Raspbian, CentOS)
Solaris
Microsoft® Windows
Cygwin
FreeBSD
QNX
Supported operating platforms
NanoSec is supported on the following operating platforms:
Intel® x86
ARM A/M Series
Hardware Acceleration (Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks)
Secure Element (TPM 1.2)