Hardware-based encryption

Last updated
Hardware-based encryption
IBM4758 outside1.JPG
The IBM 4758 Cryptographic Module
Process type Cryptography
Industrial sector(s) Computing
Main technologies or sub-processes Cryptographic hash function, Encryption

Hardware-based encryption is the use of computer hardware to assist software, or sometimes replace software, in the process of data encryption. Typically, this is implemented as part of the processor's instruction set. For example, the AES encryption algorithm (a modern cipher) can be implemented using the AES instruction set on the ubiquitous x86 architecture. [1] Such instructions also exist on the ARM architecture. [2] However, more unusual systems exist where the cryptography module is separate from the central processor, instead being implemented as a coprocessor, in particular a secure cryptoprocessor or cryptographic accelerator, of which an example is the IBM 4758, or its successor, the IBM 4764. [3] Hardware implementations can be faster and less prone to exploitation than traditional software implementations, and furthermore can be protected against tampering. [4]

Contents

History

Prior to the use of computer hardware, cryptography could be performed through various mechanical or electro-mechanical means. An early example is the Scytale used by the Spartans. [5] The Enigma machine was an electro-mechanical system cipher machine notably used by the Germans in World War II.[ citation needed ] After World War II, purely electronic systems were developed. In 1987 the ABYSS (A Basic Yorktown Security System) project was initiated. [6] [7] The aim of this project was to protect against software piracy. However, the application of computers to cryptography in general dates back to the 1940s and Bletchley Park, where the Colossus computer was used to break the encryption used by German High Command during World War II. The use of computers to encrypt, however, came later. In particular, until the development of the integrated circuit, of which the first was produced in 1960, computers were impractical for encryption, since, in comparison to the portable form factor of the Enigma machine, [8] computers of the era took the space of an entire building. It was only with the development of the microcomputer that computer encryption became feasible, outside of niche applications. The development of the World Wide Web lead to the need for consumers to have access to encryption, as online shopping became prevalent. [9] The key concerns for consumers were security and speed. [9] This led to the eventual inclusion of the key algorithms into processors as a way of both increasing speed and security. [4]

Implementations

In the instruction set

x86

The X86 architecture, as a CISC (Complex Instruction Set Computer) Architecture, typically implements complex algorithms in hardware. [10] Cryptographic algorithms are no exception. The x86 architecture implements significant components of the AES (Advanced Encryption Standard) algorithm, [1] which can be used by the NSA for Top Secret information. [11] The architecture also includes support for the SHA Hashing Algorithms through the Intel SHA extensions. [1] Whereas AES is a cipher, which is useful for encrypting documents, hashing is used for verification, such as of passwords (see PBKDF2).

ARM

ARM processors can optionally support Security Extensions. Although ARM is a RISC (Reduced Instruction Set Computer) architecture, there are several optional extensions specified by ARM Holdings. [2] [12]

As a coprocessor

Proliferation

Advanced Micro Devices (AMD) processors are also x86 devices, and have supported the AES instructions since the 2011 Bulldozer processor iteration. [15] Due to the existence of encryption instructions on modern processors provided by both Intel and AMD, the instructions are present on most modern computers. [16] They also exist on many tablets and smartphones due to their implementation in ARM processors. [16]

Advantages

Implementing cryptography in hardware means that part of the processor is dedicated to the task. This can lead to a large increase in speed. [4] In particular, modern processor architectures that support pipelining can often perform other instructions concurrently with the execution of the encryption instruction. Furthermore, hardware can have methods of protecting data from software. Consequently, even if the operating system is compromised, the data may still be secure (see Software Guard Extensions). [17]

Disadvantages

If, however, the hardware implementation is compromised, major issues arise. Malicious software can retrieve the data from the (supposedly) secure hardware – a large class of method used is the timing attack. [18] This is far more problematic to solve than a software bug, even within the operating system. Microsoft regularly deals with security issues through Windows Update. Similarly, regular security updates are released for Mac OS X and Linux, as well as mobile operating systems like iOS, Android, and Windows Phone. However, hardware is a different issue. Sometimes, the issue will be fixable through updates to the processor's microcode (a low level type of software). However, other issues may only be resolvable through replacing the hardware, or a workaround in the operating system which mitigates the performance benefit of the hardware implementation, such as in the Spectre exploit. [19]

See also

Related Research Articles

Advanced Encryption Standard Standard for the encryption of electronic data

The Advanced Encryption Standard (AES), also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001.

Floating-point unit

A floating-point unit is a part of a computer system specially designed to carry out operations on floating-point numbers. Typical operations are addition, subtraction, multiplication, division, and square root. Some FPUs can also perform various transcendental functions such as exponential or trigonometric calculations, but the accuracy can be very low, so that some systems prefer to compute these functions in software.

SIMD

Single instruction, multiple data (SIMD) is a type of parallel processing in Flynn's taxonomy. SIMD can be internal and it can be directly accessible through an Instruction set (ISA): it should not be confused with an ISA. SIMD describes computers with multiple processing elements that perform the same operation on multiple data points simultaneously.

Secure cryptoprocessor Device used for encryption

A secure cryptoprocessor is a dedicated computer-on-a-chip or microprocessor for carrying out cryptographic operations, embedded in a packaging with multiple physical security measures, which give it a degree of tamper resistance. Unlike cryptographic processors that output decrypted data onto a bus in a secure environment, a secure cryptoprocessor does not output decrypted data or decrypted program instructions in an environment where security cannot always be maintained.

ARM is a family of reduced instruction set computing (RISC) architectures for computer processors, configured for various environments. Arm Ltd. develops the architecture and licenses it to other companies, who design their own products that implement one of those architectures‍—‌including systems-on-chips (SoC) and systems-on-modules (SoM) that incorporate different components such as memory, interfaces, and radios. It also designs cores that implement this instruction set and licenses these designs to a number of companies that incorporate those core designs into their own products.

In computer architecture, 64-bit integers, memory addresses, or other data units are those that are 64-bit (8-octet) wide. Also, 64-bit central processing unit (CPU) and arithmetic logic unit (ALU) architectures are those that are based on processor registers, address buses, or data buses of that size. 64-bit microcomputers are computers in which 64-bit microprocessors are the norm. From the software perspective, 64-bit computing means the use of machine code with 64-bit virtual memory addresses. However, not all 64-bit instruction sets support full 64-bit virtual memory addresses; x86-64 and ARMv8, for example, support only 48 bits of virtual address, with the remaining 16 bits of the virtual address required to be all 0's or all 1's, and several 64-bit instruction sets support fewer than 64 bits of physical memory address.

Coprocessor Type of computer processor

A coprocessor is a computer processor used to supplement the functions of the primary processor. Operations performed by the coprocessor may be floating point arithmetic, graphics, signal processing, string processing, cryptography or I/O interfacing with peripheral devices. By offloading processor-intensive tasks from the main processor, coprocessors can accelerate system performance. Coprocessors allow a line of computers to be customized, so that customers who do not need the extra performance do not need to pay for it.

A processor register is a quickly accessible location available to a computer's processor. Registers usually consist of a small amount of fast storage, although some registers have specific hardware functions, and may be read-only or write-only. In computer architecture, registers are typically addressed by mechanisms other than main memory, but may in some cases be assigned a memory address e.g. DEC PDP-10, ICT 1900.

IBM 4758

The IBM 4758 PCI Cryptographic Coprocessor is a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCI board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.

TLS acceleration

TLS acceleration is a method of offloading processor-intensive public-key encryption for Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL) to a hardware accelerator.

Trusted Platform Module Standard for secure cryptoprocessors

Trusted Platform Module is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys.

In cryptography, Galois/Counter Mode (GCM) is a mode of operation for symmetric-key cryptographic block ciphers which is widely adopted for its performance. GCM throughput rates for state-of-the-art, high-speed communication channels can be achieved with inexpensive hardware resources. The operation is an authenticated encryption algorithm designed to provide both data authenticity (integrity) and confidentiality. GCM is defined for block ciphers with a block size of 128 bits. Galois Message Authentication Code (GMAC) is an authentication-only variant of the GCM which can form an incremental message authentication code. Both GCM and GMAC can accept initialization vectors of arbitrary length.

An Advanced Encryption Standard instruction set is now integrated into many processors. The purpose of the instruction set is to improve the speed and security of applications performing encryption and decryption using Advanced Encryption Standard (AES).

There are various implementations of the Advanced Encryption Standard, also known as Rijndael.

The IBM 4764 Cryptographic Coprocessor is a secure cryptoprocessor that performs cryptographic operations used by application programs and by communications such as SSL private key transactions associated with SSL digital certificates. Each coprocessor includes a tamper-responding hardware security module (HSM) that provides secure storage for storing master keys and other sensitive data. The HSM has been certified to meet FIPS 140-2 Level 4 security requirements. The coprocessor is supported on all IBM server platforms including System z (mainframe), System i, System p, and System x. On System z, it is called the "Crypto Express2".

RDRAND is an instruction for returning random numbers from an Intel on-chip hardware random number generator which has been seeded by an on-chip entropy source. RDRAND is available in Ivy Bridge processors and is part of the Intel 64 and IA-32 instruction set architectures. AMD added support for the instruction in June 2015.

The IBM 4765 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed.

The IBM 4767 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4768 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

The IBM 4769 PCIe Cryptographic Coprocessor is a hardware security module (HSM) that includes a secure cryptoprocessor implemented on a high-security, tamper resistant, programmable PCIe board. Specialized cryptographic electronics, microprocessor, memory, and random number generator housed within a tamper-responding environment provide a highly secure subsystem in which data processing and cryptography can be performed. Sensitive key material is never exposed outside the physical secure boundary in a clear format.

References

  1. 1 2 3 Intel® 64 and IA-32 Architectures Software Developer's Manual (PDF). Intel. December 2017. pp. 303–309, 410.
  2. 1 2 ARM® Cortex®-A57 MPCore Processor Cryptography Extension (PDF). ARM Holdings. 17 December 2017. Archived (PDF) from the original on 2016-12-13.
  3. 1 2 "4764 Cryptographic Coprocessor". IBM. Archived from the original on 2018-01-21. Retrieved 20 January 2018.
  4. 1 2 3 P. Schmid and A. Roos (2010). "AES-NI Performance Analyzed". Tom's Hardware. Retrieved 20 January 2018.
  5. Kelly, Thomas (July 1998). "The Myth of the Skytale". Cryptologia. 22 (3): 244–260. doi:10.1080/0161-119891886902.
  6. "ABYSS: A Trusted Architecture for Software Protection" (PDF). Archived (PDF) from the original on 2018-01-21. Retrieved 20 January 2018.
  7. "Building the IBM 4758 Secure Coprocessor" (PDF). IBM. Archived (PDF) from the original on 2017-08-08. Retrieved 20 January 2018.
  8. "Enigma-E case" (PDF). Crypto Museum. Archived (PDF) from the original on 2016-11-05. Retrieved 20 January 2018.
  9. 1 2 "Consumers and their online shopping expectations – Ecommerce News". 20 February 2015. Archived from the original on 2016-09-30. Retrieved 29 August 2016.
  10. "x86-64 Instruction Set" (PDF). University of Oxford. 18 April 2017. p. 1. Retrieved 24 January 2018.
  11. Lynn Hathaway (June 2003). "National Policy on the Use of the Advanced Encryption Standard (AES) to Protect National Security Systems and National Security Information" (PDF). Archived (PDF) from the original on 2010-11-06. Retrieved 15 February 2011.
  12. "Cryptographic Hardware Accelerators". OpenWRT.org. 17 May 2016. Archived from the original on 2018-01-21. Retrieved 25 January 2018.
  13. 1 2 "IBM 4765 Cryptographic Coprocessor Security Module" (PDF). National Institute of Standards and Technology. 10 December 2012. Archived (PDF) from the original on 2018-01-25. Retrieved 20 January 2018.
  14. "IBM 4758 Models 2 and 23 PCI Cryptographic Coprocessor" (PDF). IBM. May 2004. Retrieved 24 January 2018.
  15. Brent Hollingsworth (AMD) (October 2012). "New "Bulldozer" and "Piledriver" Instructions" (PDF). Arecibo Observatory. Archived (PDF) from the original on 2018-02-09. Retrieved 25 January 2018.
  16. 1 2 Shay Gueron (University of Haifa & Intel) and Nicky Mouha (KU Leuven & NIST) (9 November 2016). "Simpira v2: A Family of Efficient Permutations Using the AES Round Function" (PDF). Archived (PDF) from the original on 2017-07-16. Retrieved 25 January 2018.
  17. "Intel SGX for Dummies (Intel SGX Design Objectives)". intel.com. 2013-09-26. Archived from the original on 2014-04-29.
  18. "BearSSL – Constant-Time Crypto". www.bearssl.org. Archived from the original on 2017-01-11. Retrieved 2017-01-10.
  19. Hachman, Mark (January 9, 2018). "Microsoft tests show Spectre patches drag down performance on older PCs". PC World . Archived from the original on February 9, 2018. Retrieved 2018-01-09.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.