| Proposition | MACsec | OPC-UA (OPC - gateway) |
Confidentiality | Chacha20/AES-GCM | AES-GCM | Basic, AES |
Integrity | Poly1305/GCM | GCM + ICV | SHA256 RSA Sign |
Keys | Certificates MSK SK + N | PSK (CAK, CKN) KEK + ICV SAK | Certificates + Master Key |
Authentication | Radius EAP-TLS Certificates | Radius EAP-AKA | TLS Anonym/User/ Certificate |
Key Derivation | scrypt (robust but slow) | AES-ECB => (KEK, ICV) AES-CMAC KDF AES Key Wrap | PSK/xxDH(E) |
Performance | Software I0 not measured | Software/Hardware I0 = 30 ms | Software I0 = 100 - 300 ms |
Cost (with HW upgrade) | ++ | ++(+++) | ++(++) |
Security | Light/Strong | Strong | Light (Basic)/ Strong (AES) |
Certified | No | Yes | Yes |