Device Authentication in HCMP topology for PTP 700

We posted a description of device authentication in the PTP topology here: Device Authentication in PTP topology for PTP 670/700. In this post, we’ll do something similar for the HCMP topology.


In the HCMP topology, Access Method is always set to Group Access. Slave ODUs will not connect to a Master ODU unless they are configured with the same Group ID. Group ID is an integer in the range 0 to 255. As an operator, you have a choice of using a different Group ID in every sector, so that a Slave cannot be accidentally connected to the wrong Master, or the same Group ID in every sector, so that Slaves can be installed on any Master.


Remember that Access Method provides effective protection against honest configuration errors, but it does not necessarily protect against a malicious attack by a determined and knowledgeable attacker.


In PTP700-02-50, we provide three wireless encryption algorithms with cryptographically-secure device authentication, namely:


  • TLS-PSK 128-bit
  • TLS-PSK 256-bit

Authentication using TLS-RSA


All PTP 670/700 ODUs have factory-installed RSA device certificates. These certificates securely identify the ODU MAC address. TLS-RSA exchanges certificates between Master and Slave. The Master cryptographically verifies the identity of the Slave and the Slave similarly verifies the identity of the Master. An ODU will not connect a wireless link if the encryption algorithm is TLS RSA and the certificate of the remote unit cannot be verified.


Authorization using TLS-RSA


A Master or Slave ODU authorizes a remote device in an HCMP link using TLS-RSA by checking the authenticated MAC address of the remote unit against a Whitelist or a Blacklist.


With the Whitelist option, the ODU will connect only if the authenticated MAC address of the remote unit is in the list of authorized ODUs. As an operator, you have to populate the Whitelist with the MAC addresses of any ODU that should be allowed to connect. This is the HCMP equivalent of the Target MAC Address used in PTP topology.


With the Blacklist option, the ODU will always connect unless the authenticated MAC address is in list of unauthorized ODUs.


The Blacklist offers limited benefits with factory-installed certificates in a deployed network since, to be secure, the Blacklist would have to include all PTP 700 ODUs manufactured by Cambium apart from the ones used in your network. Obviously that is not practical. However, the Blacklist does provide a relatively simple way to build a network with the minimum of configuration, in applications where security is not an immediate priority, for example when evaluating wireless performance.


Also, as we will explain in a later post, there is a further option to install operator-supplied device certificates, which makes the Blacklist very useful indeed.


To keep things relatively simple, the Whitelist and Blacklist cannot be used at the same time.


Authentication and authorization using TLS-PSK


In the TLS-PSK option, all of the Master and Slave ODUs in an HCMP sector must be configured with the same 128-bit or 256-bit pre-shared key (PSK). Authentication and authorization occur as a single step, based on the secret PSK. All ODUs in the sector must be configured for the same key size. Each unit will connect only to a remote unit that shares the same secret.


Licensing of secure device authentication


The TLS-PSK encryption algorithms are not available unless the ODU has the optional AES license. TLS-PSK 256-bit requires the 256-bit AES license. The TLS-RSA algorithm can be used to provide secure authentication and authorization without the AES license. However, in this case TLS-RSA stops at authentication and authorization, and will not go on to provide AES encryption for privacy in the wireless link.