estimated reading effort: 3 minutes

In particular, operators of public cloud services such as Google and Microsoft are still confronted with the prejudice that their services are not secure and data is not adequately protected there. For more security, Intel has implemented new instruction sets with the product launch of the scalable 3rd generation Intel Xeon processor. These ensure the encryption of (cloud) data at the CPU level. How this works and what it brings is explained in this article.

With the crypto instruction sets associated with the 3rd generation Intel Xeon Scalable processor are available, essentially three areas can be addressed: public key authentication, bulk encryption and hashing. This means that the associated functions take place directly on the CPU and not, as is often the case, on dedicated accelerator cards such as GPUs and FGPAs. Which significantly improves the performance of the entire system.

The associated functions and command sets are as follows:

The public key authentication is based on the algorithms RSA, DH, ECDHE and ECDSA, and also supports multibuffer operations. This allows public keys to be encrypted and decrypted up to eight times faster than with software-based encryption techniques. This type of (de)coding is primarily used to secure SSL connections and PKI infrastructures. Among other things, the fused multiply add command VPMADD52 is used.

the Bulk encryption (or bulk cryptography) is based on the algorithms AES-GCM, XTS, CTR and CBC. These are part of the new AES-based Intel AES-NI and Vector CLMUL (carry-less multiplication) instruction sets. The associated instructions ensure secure data transmission and data encryption, which are executed up to four times faster than with the conventional Intel AVX-512 instruction set.

That hashing based on the algorithms SHA-1 and SHA-256. These are used wherever digital signatures and blockchain applications are in the foreground. This triples the hash performance.

Software optimizations ensure hardware-based security

As with any special instruction set, it is imperative to adapt the application to the cryptographic functions for the best possible use. The good news: Numerous applications and software platforms from Microsoft, SAP, VMware and Oracle use the new crypto commands from scratch.

If this is not the case, you can look around at the well-known open source software providers. Numerous Linux distributions support the cryptographic instruction sets of the scalable third-generation Intel Xeon processor. But NGINX, HAProxy, WordPress, Envoy, Istio, Apache Kafka 2.3 and RocksDB have already been adapted. This also applies to the Java Open JDK, the OpenSSL library 1.1.1g and the IPSec/IPP multi-buffer libraries.

If that is not an option, you can prepare your own applications for the cryptographic functions and commands. For this is only that Intel Crypto API Toolkit required. This allows the corresponding commands to be executed within Intel SGX-based enclaves directly in the main memory – for even more security, which is specifically required for data-sensitive applications. The digital patient file is a good example of this.

Cloud service providers benefit from Intel Crypto

Cloud providers like Kingsoft Cloud offer their customers special services such as CDN (Content Deliver Network). The focus here is on HTTPS-based encryption, which ensures secure connections. In order to be able to answer as many parallel HTTPS requests as possible, Kingsoft Cloud has opted for the scalable Intel Xeon processor with its cryptographic functions. The result: More than twice as many HTTPS connections are available at the same time, and that in combination with a powerful cloud platform.

Also interesting is the offer of Bitnami, a VMware company. There, the developers adapt open source software programs to well-known cloud platforms such as AWS, Azure and Google Cloud. This includes, for example, the proxy software NGINX and the content management system WordPress, both of which use the cryptographic functions of the scalable Intel Xeon processor (3rd generation).

Disclaimer: Intel has commissioned me to write and publish this blog post. I had almost a free hand in designing the content.

By admin