Media Access Control Security (MACsec) establishes secure transfer of data between two devices on the same LAN regardless of the intervening devices or network, giving confidentiality, integrity, and authenticity of user data. It operates at the medium access control layer (Data Link layer L2) in accordance to the IEEE 802.1AE-2018 standard. It can identify and prevent security threats such as, Denial of Service, intrusion, masquerading, man-in-the-middle, and passive wiretapping.

By running the MACsec client on each device, the communication between devices is secured. MACsec works by establishing a bi-directional secure link after an exchange and verification of security keys between the two connected devices. A combination of data integrity checks and encryption is used to safeguard the transmitted data.

The sending device appends a header and tail to all Ethernet frames to be sent, and encrypts the data payload within the frame. The receiving device checks the header and tail for integrity. If the check fails, the traffic is dropped. On a successful check, the frame is decrypted.

MACsec Key Agreement

MACsec Key Agreement (MKA) is a protocol that provides compatible authentication, authorization and cryptographic key agreement mechanism to support secure communication between devices connected to LAN. MKA is based on IEEE 802.1XREV-2010 specification EAPoL (Extensible Authentication Protocol over LAN) and implemented as a message type extension.

MKA uses the Connectivity Association Key to derive transient session keys called Secure Association Keys (SAKs). SAKs and other MKA parameters are required to sustain communication over the secure channel and to perform encryption and other MACsec security functions. SAKs, along with other essential control information, are distributed in MKA protocol control packets.

Typical MACsec use cases

The need to prevent costly data breaches within the physical network infrastructure of routers, bridges, and switches, as well as across a range of connected (embedded) devices, is becoming increasingly important. In a LAN, any connected device can listen to broadcast messages sent by any other connected device.

When MACsec is in use, only authenticated peers are able to connect to the network and all local attacks that “trick” switches and routers to redirect network traffic to attacker machines do not work if MACsec is enabled.

MACSec provides secure and encrypted communication at Layer 2 that is capable of identifying and preventing most intrusion threats launched from behind the firewall. It provides device-to-device integrity and complements existing end-to-end security solutions such as IPSec and TLS (SSL) to prevent both external and internal network attacks.


HCC's Embedded Encryption Manager (EEM) is used for data encryption. MACsec uses the Galois/Counter Mode Advanced Encryption Standard (AES-GCM) for authenticated encryption to provide privacy and integrity.

HCC’s MACsec implementation can be integrated with both RTOS and non-RTOS based systems, is (MCU/CPU) platform independent and is provided with fully tested reference drivers. Its API is well defined and documented and the software is fully MISRA-C compliant and strictly following the IEEE 802.1AE standard.