Enhancing McAfee Endpoint Encryption * Software With Intel AES-NI Hardware- Based Acceleration



Similar documents
Intel Cyber Security Briefing: Trends, Solutions, and Opportunities. Matthew Rosenquist, Cyber Security Strategist, Intel Corp

Breakthrough AES Performance with. Intel AES New Instructions

Implementation and Performance of AES-NI in CyaSSL. Embedded SSL

Haswell Cryptographic Performance

Intel Media SDK Library Distribution and Dispatching Process

Fast, Low-Overhead Encryption for Apache Hadoop*

Intel Solid-State Drive Pro 2500 Series Opal* Compatibility Guide

Vendor Update Intel 49 th IDC HPC User Forum. Mike Lafferty HPC Marketing Intel Americas Corp.

Cloud based Holdfast Electronic Sports Game Platform

Intel SSD 520 Series Specification Update

McAfee epolicy Orchestrator * Deep Command *

Intel and Qihoo 360 Internet Portal Datacenter - Big Data Storage Optimization Case Study

The ROI from Optimizing Software Performance with Intel Parallel Studio XE

Executive Summary. Introduction. WHITE PAPER Proof of Concept: Data Encryption

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Intel Network Builders: Lanner and Intel Building the Best Network Security Platforms

Intel Core i5 processor 520E CPU Embedded Application Power Guideline Addendum January 2011

Intel Service Assurance Administrator. Product Overview

with PKI Use Case Guide

How To Get A Client Side Virtualization Solution For Your Financial Services Business

Intel Identity Protection Technology (IPT)

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities

opportunity Mechanisms to Protect Data in the Open Cloud

Benefits of Intel Matrix Storage Technology

Intel Platform and Big Data: Making big data work for you.

Solution Recipe: Improve PC Security and Reliability with Intel Virtualization Technology

Intel Solid-State Drives Increase Productivity of Product Design and Simulation

Three Paths to Faster Simulations Using ANSYS Mechanical 16.0 and Intel Architecture

Intel Cloud Builders Guide to Cloud Design and Deployment on Intel Platforms

Accelerating Business Intelligence with Large-Scale System Memory

How To Reduce Pci Dss Scope

Accelerating Business Intelligence with Large-Scale System Memory

Real-Time Big Data Analytics SAP HANA with the Intel Distribution for Apache Hadoop software

The Case for Rack Scale Architecture

* * * Intel RealSense SDK Architecture

Intel Cloud Builder Guide: Cloud Design and Deployment on Intel Platforms

Maximize Performance and Scalability of RADIOSS* Structural Analysis Software on Intel Xeon Processor E7 v2 Family-Based Platforms

Intel Desktop Board D945GCPE Specification Update

Intel Desktop Board DP55WB

Intel Desktop Board D945GCPE

iscsi Quick-Connect Guide for Red Hat Linux

How To Get A New Computer For Your Business

A Superior Hardware Platform for Server Virtualization

Intel Desktop Board DG41BI

Intel Desktop Board DG43RK

Dell NetVault Backup Plug-in for Advanced Encryption 2.2. User s Guide

Intel Cloud Builders Guide: Cloud Design and Deployment on Intel Platforms

New Dimensions in Configurable Computing at runtime simultaneously allows Big Data and fine Grain HPC

Intel vpro Technology. How To Purchase and Install Go Daddy* Certificates for Intel AMT Remote Setup and Configuration

Specification Update. January 2014

Intel Desktop Board DP43BF

Intel Desktop Board DG41TY

Intel Desktop Board DG31PR

Intel RAID RS25 Series Performance

Intel Desktop Board DG965RY

Intel Core TM i3 Processor Series Embedded Application Power Guideline Addendum

Intelligent Business Operations

Intel vpro Technology. How To Purchase and Install Symantec* Certificates for Intel AMT Remote Setup and Configuration

Intel Network Builders

Intel Media Server Studio Professional Edition for Windows* Server

Intel Data Migration Software

Intel Active Management Technology Embedded Host-based Configuration in Intelligent Systems

CLOUD SECURITY: Secure Your Infrastructure

Intel Cyber-Security Briefing: Trends, Solutions, and Opportunities. John Skinner, Director, Secure Enterprise and Cloud, Intel Americas, Inc.

DDR2 x16 Hardware Implementation Utilizing the Intel EP80579 Integrated Processor Product Line

Intel Desktop Board DQ965GF

Intel Matrix Storage Console

Intel Desktop Board DQ43AP

McAfee and SAP HANA. Executive Summary. Real-Time Business Requires Real-Time Security

Intel Matrix Storage Manager 8.x

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

SPC5-CRYP-LIB. SPC5 Software Cryptography Library. Description. Features. SHA-512 Random engine based on DRBG-AES-128

Intel Software Guard Extensions(Intel SGX) Carlos Rozas Intel Labs November 6, 2013

Intel Desktop Board DG41WV

Intel HTML5 Development Environment. Tutorial Test & Submit a Microsoft Windows Phone 8* App (BETA)

This guide explains how to install an Intel Solid-State Drive (Intel SSD) in a SATA-based desktop or notebook computer.

System Image Recovery* Training Foils

Different NFV/SDN Solutions for Telecoms and Enterprise Cloud

Intel Desktop Board DQ35JO

Software Solutions for Multi-Display Setups

新 一 代 軟 體 定 義 的 網 路 架 構 Software Defined Networking (SDN) and Network Function Virtualization (NFV)

Intel Desktop Board D945GCL

Security in the Cloud

Intel Remote Configuration Certificate Utility Frequently Asked Questions

Creating Overlay Networks Using Intel Ethernet Converged Network Adapters

Intel Data Direct I/O Technology (Intel DDIO): A Primer >

Upsurge in Encrypted Traffic Drives Demand for Cost-Efficient SSL Application Delivery

Intel Solid-State Drive Data Center Tool User Guide Version 1.1

Displaying Stereoscopic 3D (S3D) with Intel HD Graphics Processors for Software Developers August 2011

Intel Media Server Studio - Metrics Monitor (v1.1.0) Reference Manual

Recovery BIOS Update Instructions for Intel Desktop Boards

Intel Desktop Board D101GGC Specification Update

Intel Cloud Builder Guide to Cloud Design and Deployment on Intel Xeon Processor-based Platforms

RAPID EMBEDDED LINUX* DEVELOPMENT

AES Flow Interception : Key Snooping Method on Virtual Machine. - Exception Handling Attack for AES-NI -

Transcription:

SOLUTION BLUEPRINT IT SECURITY MANAGEMENT Enhancing McAfee Endpoint Encryption * Software With Intel AES-NI Hardware- Based Acceleration Industry IT security management across industries Business Challenge End the breach of con dential corporate or customer data, which can result in loss of intellectual property, industry and legal noncompliance penalties, and more Technology Solution McAfee Endpoint Encryption Software with Intel AES New Instructions (Intel AES-NI) Enterprise Hardware Platform Intel Core processor family

BUSINESS AND SOLUTION DETAILS MEETING MARKETPLACE DEMANDS Organizations are under increasing pressure to protect sensitive data and minimize the risk of data breaches. Global regulations protecting personally identi able information (PII) are becoming more stringent and breaches more costly to organizations that fail to comply. In addition, valuable intellectual property (IP) that holds competitive advantage is also under risk of loss, theft, or unauthorized access. Solution Blueprint: Enhancing McAfee Endpoint Encryption Software With Intel AES-NI Hardware- Based Acceleration Encryption is one of the best solutions to protect valuable data on endpoints by making the encrypted data unreadable by unauthorized parties. McAfee and Intel optimize full-disk encryption by adding hardware-based acceleration to softwarebased encryption. This gives organizations the bene ts of both increased performance and security. BUSINESS CHALLENGE If organizations have valuable IP- and/or compliance-related data, it s a target for theft. Laptop computers have historically been a major source of sensitive data loss and leakage due to the mobility, large storage capacity, and database access capabilities of PCs. To help protect the vast amounts of digital data on these endpoints, companies deploy managed full-disk encryption to automatically secure all data on the laptop from unauthorized access. Intellectual capital (e.g., patented technology, trade secrets, and proprietary data) makes up a majority of a company s value, so it makes sense to protect access to it, especially on mobile endpoints. For compliance-related data, when a PC with managed encryption is lost or stolen, it s generally not considered to be a breach event because the data is unusable, unreadable, or indecipherable to unauthorized individuals. Without encryption or proof of protection through managed encryption, the biggest security concern is the possibility of a data breach. The breach of con dential corporate or customer data can result in loss of intellectual property, industry and legal noncompliance penalties, and more. SOLUTION OVERVIEW Intel AES-NI acceleration speeds all AES encryption operations, making full-disk encryption even faster. Working with McAfee Endpoint Encryption for PCs, which has unique native support for Intel AES-NI, provides key bene ts: Reduced end user logon times Faster resume from hibernate Faster initial hard disk encryption Decreased file save times 2

Encryption with Intel AES-NI Standard Encryption No Encryption Users can feel the speed bene- ts provided by Intel AES-NI during everyday activities like resuming from hibernation (Figure 1). Time 0 10 20 30 40 50 (Seconds) Figure 1. Resume from Hibernate (HDD) Times TECHNOLOGY McAfee Endpoint Encryption for PCs protects valuable data on laptop and desktop computers with full-disk encryption and strong access control. McAfee epolicy Orchestrator* provides robust, centralized management and proof of protection. From a single console, McAfee epolicy Orchestrator delivers centralized deployment and management, shared policies, policy administration, password recovery, monitoring, auditing, reporting, and proof of protection. McAfee epolicy Orchestrator is also the same management infrastructure for a wide range of McAfee data protection, endpoint, and security solutions. This provides customers with ease of management, consistent protection, and lower TCO. McAfee and Intel optimize full disk encryption by adding hardware-based Intel AES-NI acceleration to McAfee software-based encryption. SOLUTION ARCHITECTURE Intel AES-NI is built into the processor. McAfee Endpoint Encryption for PCs automatically detects its presence and uses it if it is available. No configuration is required by the end user or the administrator. Intel AES-NI is a set of new instructions included in the Intel Core processor family (codenamed Westmere) or newer. This speeds up execution of the AES encryption/decryption algorithms. To be clear, Intel AES-NI doesn t implement the entire AES application. Instead, it accelerates just parts of it. This is important for legal classi cation purposes because encryption is a controlled technology in many countries. Intel AES-NI adds six new AES instructions, four for encryption and decryption, one for the mix column, and one for generating next-round text. These instructions speed up the AES operations in the rounds of transformation and assist in the generation of the round keys. Intel AES-NI also includes a seventh new instruction: CLMUL. This instruction could speed up the AES- GCM and binary elliptical curve cryptography (ECC) and assists in error correcting codes, general-purpose cyclic redundancy checks (CRCs), and data de-duplication. It particularly helps in carryless multiplication, also known as binary polynomial multiplication. This is the mathematical operation of computing the product of two operands without generating or propagating carries. Such multiplica- 3

tions are an essential step in computing multiplications in binary Galois elds. Intel AES-NI includes Intel s carryless multiplication instruction. Algorithms can use CLMUL to compute the Galois Hash, the underlying computation of the GCM. CLMUL speeds up execution of GCM by computing the carryless multiplication of two 64-bit operands. Figure 2. Physical Implementation Figure 2 shows four of the new instructions at work encrypting and decrypting rounds from a 128-bit plain text to 128-bit cipher text and vice versa. During each round, there are two instructions that assist in generating the follow-on key. The AESENC instruction encrypts each round and AESENCLAST encrypts the last round. In reverse (decryption), AESDEC decrypts each round and AESDECLAST decrypts the last round. Another instruction, AESIMC, does the mix column operation for each round and AESKEYGENASSIST generates the next key. The keys can be 128-, 192-, or 256-bit. Remember, all these computations are being done by the hardware, providing a signi cant speedup: 4x in CBC encrypt in serial mode and more than 14x in parallel modes of operation. Besides the performance bene t of Intel AES-NI, its execution of instructions in hardware provides some additional security in helping to prevent software side-channel attacks. Software side channels are vulnerabilities in the software implementation of cryptographic algorithms. They emerge in multiple processing environments (multiple cores, threads, or operating systems). Cache-based, software side-channel attacks exploit the fact that software-based AES has encryption blocks, keys, and lookup tables held in memory. In a cache collision-timing, side-channel attack, a piece of malicious code 4

running on the platform could seed the cache, run cryptographic operations, and then time speciallycrafted memory accesses to identify changes in the cache. From these changes, the attack could determine portions of the cryptographic key value. For example, by measuring the time it takes for a given cryptographic operation, an attacker might be able to determine that the uppermost bit of a key is a 0. Knowing that, single-bit cuts in half the key space that must be searched to identify the complete key value. More effective side-channel attacks reduce the key space signi cantly (i.e., they may identify half the bits in the key). Since Intel AES-NI is hardware based, it has no need for lookup tables and the encryption blocks are executed in hardware within the microprocessor. This enables implementations of AES that use Intel AES-NI to address software side-channel attacks. These instructions also make AES simple to implement, with reduced code size. This helps to reduce the risk of inadvertently introducing security aws such as hard-to-detect side channel leaks. Also, the acceleration provided by Intel AES-NI can allow the system to execute larger key sizes, making data transfers more secure. MARKET SEGMENT AND VALUE PROPOSITION Every company needs encryption to protect IP- or compliance-related data. Generally, companies that are externally required to protect compliance data (e.g., nancial, customer or employee data) are a good place to start. Companies with valuable IP like proprietary data and patents also need encryption. Endpoint encryption is most often handled by chief information security of cer (CISO) and chief information of cer (CIO) organizations. These organizations report into senior-level executives who focus on data security and compliance on endpoints within an organization. McAfee Endpoint Encryption for PCs prevents unauthorized access and renders sensitive data unreadable and useless in the event of device loss or theft. Most companies don t want to use encryption but to protect business data, they must. That s why it s important to provide organizations with high-performance encryption that s easy to use and manage. MORE INFORMATION To learn more about Intel AES-NI, visit www.intel.com. To learn more about McAfee Endpoint Encryption, visit www.mcafee.com. 5

Sources: Securing the Enterprise with Intel AES-NI (Intel Corporation, March 2010). McAfee, Inc. Endpoint Encryption Delivers True Common Management for Endpoint Security and Data Protection (McAfee Corporation, October7, 2009). McAfee Endpoint Encryption (McAfee Corporation, 2011). Intel AES-NI requires a computer system with an AES-NI enabled processor, as well as non-intel software to execute the instructions in the correct sequence. AES-NI is available on select Intel processors. For availability, consult your reseller or system manufacturer. For more information, see http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni/ Intel, Intel Core, and the Intel logo are trademarks or registered trademarks of Intel Corporation or its subsidiaries in the United States and other countries. *Other names and brands may be claimed as the property of others. Copyright 2011 Intel Corporation INFORMATION IN THIS DOCUMENT IS PROVIDED IN CONNECTION WITH INTEL PRODUCTS. NO LICENSE, EXPRESS OR IMPLIED, BY ESTOPPEL OR OTH- ERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS IS GRANTED BY THIS DOCUMENT. EXCEPT AS PROVIDED IN INTEL'S TERMS AND CONDITIONS OF SALE FOR SUCH PRODUCTS, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABIL- ITY, OR INFRINGEMENT OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT. UNLESS OTHERWISE AGREED IN WRITING BY INTEL, THE INTEL PRODUCTS ARE NOT DESIGNED NOR INTENDED FOR ANY APPLICATION IN WHICH THE FAILURE OF THE INTEL PRODUCT COULD CREATE A SITUATION WHERE PERSONAL INJURY OR DEATH MAY OCCUR. Intel may make changes to speci cations and product descriptions at any time, without notice. Designers must not rely on the absence or characteristics of any features or instructions marked "reserved" or "unde ned". Intel reserves these for future de nition and shall have no responsibility whatsoever for con icts or incompatibilities arising from future changes to them. The information here is subject to change without notice. Do not nalize a design with this information. Software and workloads used in performance tests may have been optimized for performance only on Intel microprocessors. Performance tests, such as SYSmark and MobileMark, are measured using speci c computer systems, components, software, operations and functions. Any change to any of those factors may cause the results to vary. You should consult other information and performance tests to assist you in fully evaluating your contemplated purchases, including the performance of that product when combined with other products. For more information go to http://www.intel.com/performance. The products described in this document may contain design defects or errors known as errata which may cause the product to deviate from published speci cations. Current characterized errata are available on request. Contact your local Intel sales of ce or your distributor to obtain the latest speci cations and before placing your product order. Copies of documents which have an order number and are referenced in this document, or other Intel literature, may be obtained by calling 1-800-548-4725, or go to: http://www.intel.com/design/literature.htm 1211/SS/PDF

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information