Summary

A summary of these features is provided below. See APN Security Technical Paper for more details. Each feature is configurable at a global level, for the entire Adaptive Private Network (Oracle SD-WAN Edge).

256-bit AES Encryption

256-bit AES Encryption is now supported, in additional to the previously supported 128-bit AES Encryption. 256-bit AES Encryption is not enabled by default.

Enhanced Encryption Key Generation/Rotation

Per-session encryption keys are generated and automatically rotated (when Encryption Key Rotation is enabled) using an Elliptic Curve Diffie-Hellman algorithm. Encryption Key Rotation is enabled by default.

Extended Packet Authentication Trailer

To provide users with the ability to have strong message authentication, an optional trailer inside the encrypted payload can now be enabled. By default, this optional trailer is composed of a 4-byte checksum of the unencrypted packet data, which acts like a standard Hashed Message Authentication Code (HMAC). While a standard HMAC would impact performance significantly, this checksum trailer provides a similar benefit while minimizing processing overhead. If use of a standard HMAC is required, the optional trailer can be configured to use a 16-byte SHA-256 HMAC in place of the 4-byte packet checksum.

Extended Packet Encryption Header

To provide users with the ability to have the highest level of packet uniqueness and protection against Frequency Analysis, an optional 16-byte counter can now be prefixed inside the encrypted payload to act as a rotating, cryptographically random Initialization Vector.