(AES), was adopted by the U.S. government in 2001, and is widely used
today across the software ecosystem to protect network traffic, personal
data and corporate IT infrastructure. AES applications include secure
commerce, data security in database and storage, secure virtual machine
migration, and full disk encryption. According to an IDC Encryption Usage Survey ,
the most widely used applications are corporate databases and archival
backup. Full disk encryption is also receiving lots of attention.
In order to achieve faster, more secure encryption — which makes the
use of encryption feasible where it was not before — Intel introduced
the Intel Advanced Encryption Standard New Instructions (IntelAES-NI), a
set of seven new instructions in the Intel Xeon processor family and
the 2nd gen Intel Core processors:
- Four instructions accelerate encryption and decryption.
- Two instructions improve key generation and matrix manipulation.
- The seventh aids in carry-less multiplication.
By implementing some complex and costly sub-steps of the AES
algorithm in hardware, AES-NI accelerates execution of the AES-based
encryption. The results include performance improvement implications,
and cryptographic libraries that independent software vendors (ISVs) can
use to replace basic AES routines with these optimizations.
AES-NI implements in hardware some sub-steps of the AES algorithm.
This speeds up execution of the AES encryption/decryption algorithms and
removes one of the main objections to using encryption to protect data:
the performance penalty.
To be clear, AES-NI doesn’t implement the entire AES application.
Instead, it accelerates just parts of it. This is important for legal
classification purposes because encryption is a controlled technology in
many countries. AES-NI adds six new AES instructions, four for
encryption and decryption, one for the mix column, and one for
generating next round text. These instructions speed up the AES
operations in the rounds of transformation and assist in the generation
of the round keys. AES-NI also includes a seventh new instruction:
CLMUL. This instruction could speed up the AES-GCM and binary Elliptical
Curve Cryptography (ECC), and assists in error-correcting codes,
general-purpose cyclic redundancy checks (CRCs) and data de-duplication.
It particularly helps in carry-less multiplication, also known as
“binary polynomial multiplication.”
Besides the performance benefit of these instructions, execution of
instructions in hardware provides some additional security in helping
prevent software side-channel attacks. Software side channels are
vulnerabilities in the software implementation of cryptographic
algorithms. They emerge in multiple processing environments (multiple
cores, threads or operating systems).Cache-based software side-channel
attacks exploit the fact that software-based AES has encryption blocks,
keys and lookup tables held in memory. In a cache collision-timing
side-channel attack, a piece of malicious code running on the platform
could seed. For more information on the AES new instructions, see this report . For more information on the CLMUL instruction and its handling of carry-less multiplication, see explanation.
Encryption Usage Models
There are three main usage models for AES-NI: network encryption,
full disk encryption (FDE) and application-level encryption. Networking
applications use encryption to protect data in flight with protocols
encompassing SSL, TLS, IPsec, HTTPS, FTP and SSH. AES-NI also assists
FDE and application-level models that use encryption to protect data at
rest. In all three of these models, improved performance is gained. Such
performance improvements can enable the use of encryption where it
might have otherwise been impractical due to performance impact.
In today’s highly networked world, Web servers, application servers
and database back-ends all connect via an IP network through gateways
and appliances. SSL is typically used to deliver secure transactions
over the network. It’s well-known for providing secure processing for
banking transactions and other ecommerce, as well as for enterprise
communications (such as an intranet).
Where AES-NI provides a real opportunity is in reducing the
computation impact (load) for those SSL transactions that use the AES
algorithm. There is significant overhead in establishing secure
communications, and this can be multiplied by hundreds or thousands,
depending on how many systems want to concurrently establish secure
communications with a server. Think of your favorite online shopping
site during the holiday season. Integrating AES-NI would improve
performance by reducing the computation impact of all these secure
With the growing popularity of cloud services, secure HTTPS
connections are getting increased attention — and use. The growth in
cloud services is putting enormous amounts of user data on the Web. To
protect users, operators of public or private clouds must ensure the
privacy and confidentiality of each individual’s data as it moves
between client and cloud. This means instituting a security
infrastructure across their multitude of service offerings and points of
access. For these reasons, the amount of data encrypted, transmitted,
and decrypted in conjunction with HTTPS connections is predicted to grow
as clouds proliferate.
For cloud providers, the performance and responsiveness of
transactions, streaming content and collaborative sessions over the
cloud are all critical to customer satisfaction. Yet the more
subscribers cloud services attract, the heavier the load placed on
servers. This makes every ounce of performance that can be gained
anywhere incredibly important. AES-NI and its ability to accelerate the
performance of encryption/ decryption can play a significant role in
helping the cloud computing movement improve the user experience and
speed up secure data exchanges.
Most enterprise applications offer some kind of option to use
encryption to secure information. It is a common option used for email,
and for collaborative and portal applications. ERP and CRM applications
also offer encryption in their architectures with a database backend.
Database encryption offers granularity and flexibility at the data cell
level, column level, file system level, table space and database level.
Transparent data encryption (TDE) is a feature on some databases that
automatically encrypts the data when it is stored to the disk and
decrypts it when it is read back into memory. Retailers can use features
like TDE to help address PCI-DSS requirements. University and health
care organizations can use it to automatically encrypt their data to
safeguard social security numbers and other sensitive information on
disk drives and backup media from unauthorized access. Since AES is a
supported algorithm in most enterprise application encryption schemes,
the use of AES-NI provides an excellent opportunity to speed up these
applications and enhance security.
Full disk encryption (FDE) uses disk encryption software, which
encrypts every bit of data that goes on a disk or disk volume. While the
term FDE is often used to signify that everything on a disk is
encrypted, including the programs that boot OS partitions, the master
boot record (MBR) is not and thus this small part of the disk remains
unencrypted. FDE can be implemented either through disk encryption
software or an encrypted hard drive. Direct-attached storage (DAS) is
commonly connected to one or more Serial-attached SCSI (SAS) or SATA
hard drives in the server enclosure. Since there are relatively few hard
disks and interconnects, the effective bandwidth is relatively low.
This generally makes it reasonable for a host processor to encrypt the
data in software at a rate compatible with the DAS bandwidth
In addition to protecting data from loss and theft, full disk
encryption facilitates decommissioning and repair. For example, if a
damaged hard drive has unencrypted confidential information on it,
sending it out for warranty repair could potentially expose its data.
Consider, for instance, the experience of the National Archives and
Records Administration (NARA). When a hard drive with the personal
information of around 76 million servicemen malfunctioned, NARA sent it
back to its IT contractor for repairs. By failing to wipe the drive
before sending it out, NARA arguably created the biggest government data
breach ever. Similarly, as a specific hard drive gets decommissioned at
the end of its life or re-provisioned for a new use, encryption can
spare the need for special steps to protect any confidential data. In a
data center with thousands of disks, improving the ease of repair,
decommissioning and re-provisioning can save money.
In summary, these AES-NI capabilities are able to make
performance-intensive encryption feasible and can be easily applied into
various usage models.