Cryptoaccelerator: increased security with more power

estimated reading effort: 3 minutes

In particular, operators of public cloud services such as Google and Microsoft are still faced with the prejudice that their services are not secure and data is not adequately protected there. For more security, Intel has implemented new instruction sets with the product launch of the scalable 3rd generation Intel Xeon processor. These ensure encryption of (cloud) data at CPU level. How this works and what it entails is explained in this article.

There are three main areas that can be addressed with the crypto instruction sets available with the 3rd generation Intel Xeon Scalable processor: public key authentication, bulk encryption, and hashing. This means that the associated functions take place directly on the CPU and not, as is often the case, on dedicated accelerator cards such as GPUs and FGPAs. Which significantly improves the performance of the entire system.

The associated functions and command sets are as follows:

The public key authentication is based on the algorithms RSA, DH, ECDHE and ECDSA, and also supports multibuffer operations. This makes it possible to encrypt and decrypt public keys up to eight times faster than with software-based encryption techniques. This type of (de)coding is primarily used to secure SSL connections and PKI infrastructures. Among other things, the merged multiple add command VPMADD52 is used.

that Bulk encryption (or mass encryption) is based on the algorithms AES-GCM, XTS, CTR and CBC. These are part of the new AES-based Intel AES-NI and Vector CLMUL (carry-less multiplication) instruction sets. The associated instructions ensure secure data transmission and data encryption, which is performed up to four times faster than with the conventional Intel AVX-512 instruction set.

To hashing based on the algorithms SHA-1 and SHA-256. These are used wherever digital signatures and blockchain applications are at the fore. This triples the hash performance.

Software optimizations ensure hardware-based security

As with any special instruction set, it is imperative to adapt the application to the cryptographic functions for the best possible use. The good news: numerous applications and software platforms from Microsoft, SAP, VMware and Oracle use the new crypto commands from scratch.

If this is not the case, you can look around at the well-known open source software providers. Several Linux distributions support the cryptographic instruction sets of the scalable third generation Intel Xeon processor. But NGINX, HAProxy, WordPress, Envoy, Istio, Apache Kafka 2.3 and RocksDB have already been adapted. This also applies to the Java Open JDK, the OpenSSL library 1.1.1g, and the IPSec/IPP multibuffer libraries.

If that is not an option, you can prepare your own applications for the cryptographic functions and commands. All that is required for this is Intel’s Crypto API Toolkit. This makes it possible to execute the corresponding commands within Intel SGX-based enclaves directly in main memory – for even more security, which is specifically required for data-sensitive applications. The digital patient record is a good example of this.

Cloud service providers benefit from Intel Crypto

Cloud providers like Kingsoft Cloud offer their customers special services like CDN (Content Deliver Network). The focus here is on HTTPS-based encryption, which ensures secure connections. In order to answer as many parallel HTTPS requests as possible, Kingsoft Cloud has chosen the scalable Intel Xeon processor with its cryptographic capabilities. The result: More than twice as many HTTPS connections are available at the same time, and that in combination with a powerful cloud platform.

The offer from Bitnami, a VMware company, is also interesting. There, developers adapt open source software programs to well-known cloud platforms such as AWS, Azure and Google Cloud. This includes, for example, the proxy software NGINX and the content management system WordPress, both of which use cryptographic functions in the Intel Xeon Scalable Processor (3rd generation).

Disclaimer: Intel commissioned me to write and publish this blog post. I had almost a free hand to design the content.

Leave a Comment