The Impact of Cryptography on Platform Security

Similar documents
Technologies to Improve. Ernie Brickell

Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation

Haswell Cryptographic Performance

Improving OpenSSL* Performance

Secure Network Communications FIPS Non Proprietary Security Policy

AES-GCM software performance on the current high end CPUs as a performance baseline for CAESAR competition

Security Policy for FIPS Validation

FIPS Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0

Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version:

GCM-SIV: Full Nonce Misuse-Resistant Authenticated Encryption at Under One Cycle per Byte. Yehuda Lindell Bar-Ilan University

SkyRecon Cryptographic Module (SCM)

Intel Identity Protection Technology Enabling improved user-friendly strong authentication in VASCO's latest generation solutions

Processing Multiple Buffers in Parallel to Increase Performance on Intel Architecture Processors

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Security Policy. Trapeze Networks

VASCO Data Security International, Inc. DIGIPASS GO-7. FIPS Non-Proprietary Cryptographic Module Security Policy

Overview. SSL Cryptography Overview CHAPTER 1

Opal SSDs Integrated with TPMs

IoT Security Platform

SECURE USB FLASH DRIVE. Non-Proprietary Security Policy

Kaseya US Sales, LLC Virtual System Administrator Cryptographic Module Software Version: 1.0

Northrop Grumman M5 Network Security SCS Linux Kernel Cryptographic Services. FIPS Security Policy Version

Using etoken for SSL Web Authentication. SSL V3.0 Overview

FIPS Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive

Ciphire Mail. Abstract

AES-GCM for Efficient Authenticated Encryption Ending the Reign of HMAC-SHA-1?

CS 356 Lecture 28 Internet Authentication. Spring 2013

Pulse Secure, LLC. January 9, 2015

SecureDoc Disk Encryption Cryptographic Engine

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Security in the Cloud

Performance of Software Switching

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

Intel Identity Protection Technology (IPT)

Analyzing the Security Schemes of Various Cloud Storage Services

RELEASE NOTES. Table of Contents. Scope of the Document. [Latest Official] ADYTON Release corrections. ADYTON Release 2.12.

Communication Security for Applications

Using AES 256 bit Encryption

Intel Software Guard Extensions(Intel SGX) Carlos Rozas Intel Labs November 6, 2013

Authentication requirement Authentication function MAC Hash function Security of

CycurHSM An Automotive-qualified Software Stack for Hardware Security Modules

Hormuzd Khosravi, Principal Engineer, Intel Corporation

M-Shield mobile security technology

CS155. Cryptography Overview

Using BroadSAFE TM Technology 07/18/05

Secure Sockets Layer (SSL ) / Transport Layer Security (TLS) Network Security Products S31213

Side Channel Analysis and Embedded Systems Impact and Countermeasures

CS 393 Network Security. Nasir Memon Polytechnic University Module 11 Secure

eid Security Frank Cornelis Architect eid fedict All rights reserved

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 7 Transport-Level Security

2014 IBM Corporation

Smart Card- An Alternative to Password Authentication By Ahmad Ismadi Yazid B. Sukaimi

Trusted Platforms for Homeland Security

Performance Investigations. Hannes Tschofenig, Manuel Pégourié-Gonnard 25 th March 2015

Software Token Security & Provisioning: Innovation Galore!

Using the TPM to Solve Today s Most Urgent Cybersecurity Problems

Security Protocols HTTPS/ DNSSEC TLS. Internet (IPSEC) Network (802.1x) Application (HTTP,DNS) Transport (TCP/UDP) Transport (TCP/UDP) Internet (IP)

Announcement. Final exam: Wed, June 9, 9:30-11:18 Scope: materials after RSA (but you need to know RSA) Open books, open notes. Calculators allowed.

High-speed cryptography and DNSCurve. D. J. Bernstein University of Illinois at Chicago

[SMO-SFO-ICO-PE-046-GU-

Applying Cryptography as a Service to Mobile Applications

Transport Layer Security Protocols

Fastboot Techniques for x86 Architectures. Marcus Bortel Field Application Engineer QNX Software Systems

Breakthrough AES Performance with. Intel AES New Instructions

Chapter 1: Introduction

Acronym Term Description

Security Policy Revision Date: 23 April 2009

SENSE Security overview 2014

Attribute-proving for Smart Cards

Summary of Results. NGINX SSL Performance

Disk encryption... (not only) in Linux. Milan Brož

OpenFlow with Intel Voravit Tanyingyong, Markus Hidell, Peter Sjödin

Introduction to Cryptography

Cryptography and Key Management Basics

UM0586 User manual. STM32 Cryptographic Library. Introduction

Index. BIOS rootkit, 119 Broad network access, 107

Dr. Cunsheng DING HKUST, Hong Kong. Security Protocols. Security Protocols. Cunsheng Ding, HKUST COMP685C

Efficient Framework for Deploying Information in Cloud Virtual Datacenters with Cryptography Algorithms

Achieving Nanosecond Latency Between Applications with IPC Shared Memory Messaging

Overview of CSS SSL. SSL Cryptography Overview CHAPTER

Network Security Essentials Chapter 5

OPTIMIZE DMA CONFIGURATION IN ENCRYPTION USE CASE. Guillène Ribière, CEO, System Architect

Table of Contents. Bibliografische Informationen digitalisiert durch

How To Understand And Understand The Security Of A Key Infrastructure

Communication Systems 16 th lecture. Chair of Communication Systems Department of Applied Sciences University of Freiburg 2009

Dashlane Security Whitepaper

Certicom Security for Government Suppliers developing client-side products to meet the US Government FIPS security requirement

SECURE IMPLEMENTATIONS OF CONTENT PROTECTION (DRM) SCHEMES ON CONSUMER ELECTRONIC DEVICES

SECUDE AG. FinallySecure Enterprise Cryptographic Module. FIPS Security Policy

Proof of Concept Guide

CLOUD SECURITY: Secure Your Infrastructure

Security Overview for Windows Vista. Bob McCoy, MCSE, CISSP/ISSAP Technical Account Manager Microsoft Corporation

Secure Storage. Lost Laptops

SNAPcell Security Policy Document Version 1.7. Snapshield

MySQL Security: Best Practices

Software Execution Protection in the Cloud

Patterns for Secure Boot and Secure Storage in Computer Systems

Transcription:

The Impact of Cryptography on Platform Security Ernie Brickell Intel Corporation 2/28/2012 1

Security is Intel s Third Value Pillar Intel is positioning itself to lead in three areas: energy-efficient performance silicon, connectivity, and security. Paul Otellini Intel CEO There s an urgent need for security innovation as people are spending more time online and the amount of data is growing. 2 Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Trusted Boot Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 3 Intel Architecture Group

Digital Signatures on FW Updates Intel FW updates are validated with a digital signature NIST recommending digital signatures for BIOS updates. NIST SP800-147 BIOS protection Guidelines Use digital signatures to verify the authenticity of BIOS updates. BIOS updates verified using a Root of Trust for Update which includes: The key store used to verify signatures on updates. The digital signature verification algorithm. Use of NIST-approved crypto algorithms. Recommend rollback protection. http://csrc.nist.gov/publications/nistpubs/800-147/nist-sp800-147-april2011.pdf 4 Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Trusted Boot Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 5 Intel Architecture Group

Digital Random Number Generator (DRNG) Entropy Source BIST Online Health Tests Test Port DRNG Combined Conditioner/ Deterministic Random Bit Generator (DRBG) DRNG Wrapper Interface (embedding specific) A reusable circuit that provides an autonomous/self contained, complete DRNG Provides a hardware source of high quality, high performance entropy to be embedded across Intel products. It is composed of An all-digital Entropy Source, (3 Gbps, 90% Entropic) Runtime Entropy Source health measurement via Online Health Test, Conditioning (via AES CBC-MAC mode) and DRBGing (via AES CTR mode) post processing and Built In Self Test (BIST) and Test Port Standards compliant (NIST SP 800-90) 6

RDRAND Performance Preliminary data from pre-production Ivy Bridge sample 1 RdRands (Millions/sec) Throughput (MB/sec) RdRand new CPU instruction which provides access to DRNG Up to 70 million RdRand invocations per second 80 70 60 50 40 30 20 10 0 Throughput (RdRands/s) 1 2 3 4 5 6 7 8 9 10 11 12 500+ Million Bytes of random data per second Throughput ceiling is insensitive to number of contending parallel threads Steady state maintained at peak performance 600 500 400 300 200 100 Number of Parallel Threads Throughput (MB/s) 0 1 2 3 4 5 6 7 8 9 10 11 12 Number of Parallel Threads 1 Data taken from Intel processor codename Ivy Bridge early engineering sample board. Quad core, 4 GB memory, hyper-threading enabled. Software: LINUX* Fedora 14, gcc version 4.6.0 (experimental) with RdRand support, test uses pthreads kernel API. 7 Intel Architecture Group

RdRand Response Time and Reseeding Frequency Preliminary data from pre-production Ivy Bridge sample 1 Response Time (Clock cycles) DRNG 128-bit Outputs 300 RdRand Response Time RdRand Response Time ~150 clocks per invocation Little contention until 8 threads (or 4 threads on 2 core chip) Simple linear increase as additional threads are added DRNG Reseed Frequency Single thread worst case: Reseeds every 4 RdRand invocations Multiple thread worst case: Reseeds every 23 RdRand invocations At slower invocation rate, can expect reseed before every 2 RdRand calls NIST SP 800-90 recommends 2 48 250 200 150 100 50 0 25 20 15 10 5 0 1 2 3 4 5 6 7 8 9 10 11 12 Number of Parallel Threads DRNG Reseed Frequency 1 2 3 4 5 6 7 8 9 10 11 12 Number of Parallel Threads 1 Data taken from Intel processor codename Ivy Bridge early engineering sample board. Quad core, 4 GB memory, hyper-threading enabled. Software: LINUX* Fedora 14, gcc version 4.6.0 (experimental) with RdRand support, test uses pthreads kernel API. 8 Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Trusted Boot Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 9 Intel Architecture Group

Overview of EPID EPID pub-key Message Message, EPID Signature Sign Verify pvt-key 1 pvt-key 2 pvt-key n EPID Signature True / False EPID is a digital signature scheme with special properties One group public key corresponds to multiple private keys Each unique private key can be used to generate a signature Signature can be verified using the group public key 10 Intel Architecture Group

Enhanced Privacy ID (EPID) Direct Anonymous Attestation (DAA) A crypto scheme for providing anonymous signatures DAA is designed specifically for TPM RSA based DAA scheme adopted by TCG TPM Spec v1.2 EPID is an extension of DAA Flexible key generation and signature creation options Additional revocation capabilities Pairing based EPID scheme has improved efficiency 11 Intel Architecture Group

Knows Issuer Secret Join Each Member obtains a unique EPID private key Knows Private key Sign Signs a message using his private key and outputs a signature What is EPID Issuer Member EPID group public key Verifier Verify Verifies EPID signature using the group public key 12 Intel Architecture Group

Privacy Features of DAA/EPID EPID key issuing can be blinded Issuer does not need to know Member Private Key EPID signatures are anonymous EPID signatures are untraceable Nobody including the issuer can open an EPID signature and identify the member This is the main difference between group signatures Unlinkability property depends upon Base Signature includes a pseudonym B f where B is base chosen for a signature and revealed during the signature f is unique per member and private Random base: Pseudonym R f where R is random signatures are unlinkable Name base: Pseudonym N f all where N is name of verifier Signatures still unlinkable for different verifiers Signatures using common N are linkable 13 Intel Architecture Group

Revocations in EPID Private key revocation (Revealed Key List) Ex: Private key is corrupted and is published Revocation check performed by verifier Verifier Local Revocation using name base Ex: Verifier can revoke a Pseudonym for his name (N f ) Revocation check performed by verifier Signature based revocation (Signature Revocation List) Issuer and/or verifier decide that they no longer want to accept signatures from whatever signed a revoked message with pseudonym B f For each future signature, Member signs as normal Member proves he didn t sign the revoked message Retains same anonymity and unlinkability properties 14 Intel Architecture Group

More on signature based revocation Signature Revoke list K i = B i fi for many pseudonyms Member produces a pseudonym K = B f in a signature The Member performs a Not My Pseudonym Proof, for each pseudonym in Signature Revoke list, i.e., for each (B i, K i ), the member proves that K i B i f Signature Revoke list signed by Revocation authority and checked by Member device 15 Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Trusted Boot Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 16 Intel Architecture Group

TPM Measured Boot Measured boot Boot anything Store a trusted measurement of the boot process Provide trusted reporting of the measurement TPM Trusted Platform Module Separate microprocessor During platform boot, the HW does a hash of the initial boot code and sends that to the TPM. TPM can digitally sign the hash 17 Intel Architecture Group

Verified Boot Verified boot Boot only code that passes verification Uses Intel s Trusted execution Technology Launch Control Policy The HW verifies that the measurements made during launch are good If not, then the selected policy option is invoked. Examples: Platform boots to a fall back environment Platform does not boot 18 Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 19 Intel Architecture Group

IPT 1.0: One Time Password (OTP) The first generation of Intel IPT is a dynamic code generated on an embedded microprocessor that is protected from malware in the OS. Single use, (i.e. 30 second, time-limited code OTP ) A hardware level 2nd factor of authentication Works with leading OTP Solutions from Symantec & Vasco Traditional hardware token CPU OTP Client App / Browser Intel IPT Middleware ME Embedded OTP App Now embedded into your PC Intel ISV No system can provide absolute security under all conditions. Requires an Intel IPT enabled system, including a 2 nd generation Intel Core processor, enabled chipset, firmware and software. Available only on participating websites. Consult your system manufacturer. Intel assumes no liability for lost or stolen data and/or systems or any resulting damages. For more information, visit 20 [http://ipt.intel.com]. Intel Architecture Group

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 21 Intel Architecture Group

Crypto Performance Software improvements Multi-buffer Function Stitching Hardware improvements AES-NI PCLMULQDQ Microarchitecture improvements 22 Intel Architecture Group

Multi Buffer Performance 1 WSM Core Multi-buffer: Perform the same function on multiple independent data buffers 9,000 8,000 7,000 AES: Total Cycles / Buffer Single Buffer 8,438 6,000 5,000 Multi Buffer 3X 4,000 3,000 2,528 2,841 2,000 1,000 0 1,333 972 582 158 137 48 Byte Distribution 0 Distribution 1 2048 Byte Excellent performance on AES CBC Encrypt 23 Intel Architecture Group *See Intel technical paper # 2 for full description of methodology and results.

Function Stitching Protocols such as SSL/TLS and IPsec apply two functions, confidentiality and integrity Improved performance by using multiple execution units more efficiently Fine grain integration achieves higher performance 1.4X Speedup on AES128 CBC-Encrypt with SHA1 (Cycles/Byte) Method to speedup combined Encrypt/Authenticate 24 Intel Architecture Group *See Intel technical paper # 3 for full description of methodology and results.

OpenSSL Performance Improvements Intel developed and released highly optimized cryptographic functions into OpenSSL ~28 Gigabits/second of large secure connections using AES256-SHA1 with RSA1024 for session setup 4.8x faster than latest default version at the system level Dual Intel Xeon Processor X5680 system running the Apache Web-Server application, sending HTTP over SSL to clients on a network. 25 Intel Architecture Group *See Intel technical paper # 14 for full description of methodology and results.

Sandy Bridge Performance SNB 2 nd Generation Intel Core improves: AES-NI Throughput SIMD Processing via AVX ISA extensions Large-integer processing (public-key crypto) Multi Buffer Performance (Cycles/byte) Algorithm i5-650 i7-2600 i7-2600 Gain MD5 1.46 1.27 1.15 SHA1 2.96 2.2 1.35 SHA256 6.96 5.27 1.32 AES128-CBC-Encrypt 1.52 0.83 1.83 Modular Exponentiation Performance (Cycles) Algorithm i5-650 i7-2600 i7-2600 Gain 512-bit Modular Exponentiation 360,880 246,899 1.46 1024-bit Modular Exponentiation 2,722,590 1,906,555 1.43 1.2-1.8X additional performance gain on SNB! 26 Intel Architecture Group *See Intel technical paper # 10 for full description of methodology and results.

Outline Digital signatures on FW updates Hardware Random number generation Anonymous platform attestation Improved protection for user authentication Enhancements for cryptographic performance Protection from Side Channel Attacks 27 Intel Architecture Group

Software Side Channels Not Hardware Side Channel where adversary has physical access. Not Software Covert Channel where adversary has malware in a high security partition and a low security partition Software Side Channel Adversary has malware executing in a spy process, and tries to obtain information about an uncompromised target process executing on same platform. Target App with Protected Asset Spy App Inside trust boundary Outside trust boundary OS 28 Intel Architecture Group

Protection from software side channels Platform approach for software side channels AES-NI: CPU instructions for a round of AES PCLMULQDQ: CPU instructions for GF(2) Multiplication Recommend side channel mitigated implementations of other crypto algorithms No secret key or data dependent memory access (at coarser than cache line granularity) No secret key or data dependent code branching Ex: RSA implemented with <6% performance reduction in OpenSSL 29 Intel Architecture Group

Technical Papers - 1 1. Breakthrough AES performance with Intel AES New Instructions http://software.intel.com/file/26898 2. Processing Multiple buffers in parallel http://download.intel.com/design/intarch/papers/324101.pdf 3. Fast Cryptographic computation on IA processors via Function Stitching http://download.intel.com/design/intarch/papers/323686.pdf 4. Fast and Constant-time Implementation of Modular Exponentiation http://www.cse.buffalo.edu/srds2009/escs2009_submission_gopal.pdf 5. Fast CRC Computation for iscsi Polynomial using CRC32 Instruction http://download.intel.com/design/intarch/papers/323405.pdf 6. Optimized Galois-Counter-Mode Implementation on IA Processors http://download.intel.com/design/intarch/papers/324194.pdf 7. High Performance Storage Encryption on Intel Architecture Processors http://download.intel.com/design/intarch/papers/324310.pdf 31 Intel Architecture Group

Technical Papers - 2 8. Fast CRC Computation for Generic Polynomials using PCLMULQDQ Instruction http://download.intel.com/design/intarch/papers/323102.pdf 9. High Performance DEFLATE Decompression on Intel Architecture Processors http://edc.intel.com/link.aspx?id=3972 10.Cryptographic Performance on the 2 nd Generation Intel Core Processor http://download.intel.com/design/intarch/papers/324952.pdf 11.Fast Parallel CRC Computation using the Nehalem CRC32 instruction http://drdobbs.com/cpp/229401411 12.Using Intel AES New Instructions and PCLMULQDQ to Significantly Improve IPSec Performance on Linux http://download.intel.com/design/intarch/papers/324238.pdf 13.IDF 2010 Presentation with Voice: Examining the Performance of Intel AES New Instructions on Intel Core i7 Processor http://intelstudios.edgesuite.net/idf/2010/sf/aep/sfts012/sfts012.htm l 14.Improving OpenSSL Performance on IA http://download.intel.com/design/intarch/papers/326232.pdf 32 Intel Architecture Group

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information