Skip to main content

NanoSec

DigiCert TrustCore SDK NanoSec is an integrated certificate management solution. It uses encryption technology to provide data confidentiality, integrity, and authenticity between participating peers in a private network.

NanoSec provides flexibility for many IPsec/IKE configurations, but typical applications generally fall into one of four use cases:

  • Host-to-Host: Two peer machines communicate securely at the IP layer level.

  • VPN via IPsec tunnel: Client and host machines communicate securely using VPN by implementing a secure IPsec tunnel.

  • MOBIKE: One peer has a fixed address while the other peer’s address is changing due to mobility or an interface change.

  • Multicast: One broadcaster machine securely sends information (through a router) to multiple receivers (clients).

NanoSec also supports NSA Suite B crypto algorithms to provide a holistic approach for securing networked devices and services, ideally suited for high-traffic enterprise and federal environments where performance is critical. Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). TrustCore SDK API functions that are related to NSA Suite B cryptography are available only if NanoCrypto has been purchased. By default, only NanoCrypto Basic is included.

Features

TrustCore SDK NanoSec provides features beyond open-source IPsec implementations, including:

  • Small memory footprint

  • Complete IPsec & IKEv1/v2 solution with certificate management

  • Speeds integration & testing of IPsec and certificate management

  • Full NIST USGv6 compliant implementation of IETF IPsec version 3

  • Synchronous and asynchronous threadless architecture

  • Support for user and kernel space IPsec stack

  • Support for EAP methods (as authenticator or supplicant) GTC, LEAP, MD5, MSCHAPv2, PSK, SIM/AKA, SRP, TLS, RADIUS Pass-Through (as authenticator only)

  • Callback to retrieve username and password

  • Support for NAT Traversal (NAT-T)

  • VPNC certified (basic and AES interoperability)

  • RSA token support (IKEv2 only) for EAP GTC authentication of IKE peers.

  • Support for EAP (IKEv2 only)

  • Support for IPv6

  • Support for PFKEY

  • Support for MOBIKE (IKEv2 only)

  • XAUTH client for using legacy authentication mechanisms

  • OS- and platform-agnostic for easy portability

  • Guaranteed GPL-free code that protects intellectual property

Supported standards

NanoSec supports the following RFC standards:

  • RFC 2367: PF_KEY Key Management API, Version 2

  • RFC 2401/4301: Security Architecture for the Internet Protocol

  • RFC 2402/4302: IP Authentication Header

  • RFC 2403: The Use of HMAC-MD5-96 within ESP and AH

  • RFC 2404: The Use of HMAC-SHA-1-96 within ESP and AH

  • RFC 2405: The ESP DES-CBC Cipher Algorithm With Explicit IV

  • RFC 2406/4303: IP Encapsulating Security Payload (ESP)

  • RFC 2407: The Internet IP Security Domain of Interpretation for ISAKMP

  • RFC 2408: Internet Security Association and Key Management Protocol (ISAKMP)

  • RFC 2409: The Internet Key Exchange (IKE)

  • RFC 2410: The NULL Encryption Algorithm and Its Use With IPsec

  • RFC 2451: The ESP CBC-Mode Cipher Algorithms

  • RFC 3280: Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile

  • RFC 3526: More Modular Exponential (MODP) Diffie-Hellman groups for Internet Key Exchange (IKE)

  • RFC 3566: The AES-XCBC-MAC-96 Algorithm and Its Uses With IPsec

  • RFC 3602: The AES-CBC Cipher Algorithm and Its Use with IPsec

  • RFC 3686: Using Advanced Encryption Standard (AES) Counter Mode With IPsec Encapsulating Security Payload (ESP)

  • RFC 3706: A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers

  • RFC 3715: IPsec-Network Address Translation (NAT) Compatibility Requirements

  • RFC 3748: Extensible Authentication Protocol (EAP)

  • RFC 3947: Negotiation of NAT-Traversal in IKE

  • RFC 3948: UDP Encapsulation of IPsec ESP Packets

  • RFC 4106: The Use of Galois/Counter Mode (GCM) in IPsec Encapsulating Security Payload (ESP)

  • RFC 4304: Extended Sequence Number (ESN) Addendum to IPsec Domain of Interpretation (DOI) for Internet Security Association and Key Management Protocol (ISAKMP)

  • RFC 4306: Internet Key Exchange (IKEv2) Protocol

  • RFC 4307: Cryptographic Algorithms for Use in the Internet Key Exchange Version 2 (IKEv2)

  • RFC 4308: Cryptographic Suites for IPsec

  • RFC 4434: The AES-XCBC-PRF-128 Algorithm for the Internet Key Exchange Protocol (IKE)

  • RFC 4478: Repeated Authentication in Internet Key Exchange (IKEv2) Protocol

  • RFC 4543: The Use of Galois Message Authentication Code (GMAC) in IPsec ESP and AH

  • RFC 4555: IKEv2 Mobility and Multihoming

  • RFC 4718: IKEv2 Clarifications and Implementation Guidelines

  • RFC 4739: Multiple Authentication Exchanges in the Internet Key Exchange (IKEv2) Protocol

  • RFC 4753/5903: ECP Groups for IKE and IKEv2

  • RFC 4754: IKE and IKEv2 Authentication Using ECDSA

  • RFC 4806: Online Certificate Status Protocol (OCSP) Extensions to IKEv2

  • RFC 4835: Cryptographic Algorithm Implementation Requirements for Encapsulating Security Payload (ESP) and Authentication Header (AH)

  • RFC 4868: Using HMAC-SHA-256, HMAC-SHA-384, and HMAC-SHA-512 with IPsec

  • RFC 4869/6379: Suite B Cryptographic Suites for IPsec

  • RFC 4894: Use of Hash Algorithms in Internet Key Exchange (IKE) and IPsec

  • RFC 5114: Additional Diffie-Hellman Groups for Use with IETF Standards (sections 2.3-2.8, 3.2)

  • RFC 5685: Redirect Mechanism for the Internet Key Exchange Protocol Version 2 (IKEv2)

  • RFC 5996: Internet Key Exchange Protocol Version 2 (IKEv2)

  • RFC 5998: An Extension for EAP-Only Authentication in IKEv2

  • RFC 6380: B Profile for Internet Protocol Security (IPsec)

  • RFC 6407: The Group Domain of Interpretation

  • RFC 7296: Internet Key Exchange Protocol Version 2 (IKEv2)

  • RFC 7383: Internet Key Exchange Protocol Version 2 (IKEv2) Message Fragmentation

  • RFC 7427: Signature Authentication in the Internet Key Exchange Version 2 (IKEv2)

  • RFC 8031: Curve25519 and Curve448 for IKEv2

  • RFC 8420: EdDSA in IKEv2

  • RFC 8784: Mixing Preshared Keys in the IKEv2 for Post-Quantum Security

  • ModeConfig: draft-dukes-ike-mode-cfg-02.txt

  • XAUTH: draft-ietf-ipsec-isakmp-xauth-06.txt

  • IKEv1 fragmentation See https://msdn.microsoft.com/en-us/library/cc233458.aspx.

  • OCSP: Integrated with IKE for Online Certificate Status verification

System requirements

Memory requirements

NanoSec/IPSec has a minimum memory footprint of 21KB1. NanoSec/IKE has a minimum memory footprint of 186KB1.

Typical memory usage is with a full set of ciphers and may vary (decrease or increase) based on 32/64-bit, x86/ARM/MIPS, reduced set of ciphers, static/shared library, and compile flags.

1Estimate based on Intel x86 builds.

Supported pperating systems

NanoSec is supported out-of-the-box on the following operating systems:

  • Linux (Ubuntu, Debian, Raspbian, CentOS)

  • Solaris

  • Microsoft® Windows

  • Cygwin

  • FreeBSD

  • QNX

Supported operating platforms

NanoSec is supported on the following operating platforms:

  • Intel® x86

  • ARM A/M Series

  • Hardware Acceleration (Intel AES-NI, Vendor Extensions via NanoCrypto Callbacks)

  • Secure Element (TPM 1.2)