Intel® vPro™ technology extends advanced security capabilities to business-software developers that can help their applications earn a competitive advantage. Data security is critical for business applications, both to protect valuable business information and to conform to regulatory requirements, which is particularly critical in industries such as financial services and healthcare.
The 3rd generation Intel® Core™ vPro™ processor is the engine at the core of the latest business client PCs that delivers greater manageability, security, and power-efficient performance than ever before. In the area of security, two new hardware-based capabilities are of particular interest to business-software developers: accelerated encryption using Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) and digital random-number generation with Intel® Secure Key technology.
By building business PC software that supports these platform features, vendors can deliver improved security without having to make trade-offs in performance. They can also demonstrate that they are ahead of the curve in the adoption of new technologies that many of their contemporaries may not have started with yet. Both provide a means to distinguish your products in a positive way from whatever your potential customers are using today and whatever your competitor is suggesting that they replace it with.
Intel® AES-NI: Accelerate Encryption for Better Overall Performance
The 3rd generation Intel Core vPro processor platform brings robust, hardware-accelerated encryption based on the Advanced Encryption Standard (AES) to the business PC with Intel AES-NI. This new set of seven processor instructions accelerates key parts of the AES encryption algorithm, allowing developers to implement pervasive encryption in business applications without unacceptable trade-offs in performance.
AESENC performs one round of an AES encryption flow.
AESENCLAST performs the last round of an AES encryption flow.
AESDEC performs one round of an AES decryption flow.
AESDECLAST performs the last round of an AES decryption flow.
AESKEYGENASSIST assists in AES round key generation.
AESIMC assists in AES Inverse Mix Columns.
CLMUL performs a carry-less multiply operation.
Intel AES-NI allows developers to collapse relatively large, complex passages of data into a smaller amount of code that delivers superior results. This capability can allow secure transactions, such as those over the Internet or in a cloud environment, to be completed faster. It can also reduce the performance “penalty” associated with encrypting data before it is written to disk, including the use of full disk encryption.
Improved Protection from Software Vulnerabilities
In addition to the performance advantages in data-protection schemes that are possible using Intel AES-NI, code also avoids vulnerability to many software-based attacks. In a conventional software AES implementation, the system must hold critical, secret information such as encryption blocks, keys, and lookup tables in memory, where they are theoretically open to attack by malicious code.
Because Intel AES-NI is hardware-based, it does not use lookup tables, and the encryption blocks are executed in silicon, avoiding key parts of the vulnerability profile described above. Moreover, because Intel AES-NI can help reduce code size, it is simpler to implement, which can help reduce the risk that programmers will inadvertently introduce errors that could compromise security.
Implementing Intel AES-NI Using Intel® Integrated Performance Primitives
Developers can implement Intel AES-NI easily and efficiently, including sample code and the capabilities built into Intel® Integrated Performance Primitives (Intel® IPP), beginning with version 6.1 update 2.
Intel IPP simplifies the process of making new code that uses Intel AES-NI compatible with older business PCs that do not support Intel AES-NI, as well as with future generations of Intel® processor platforms. Alternatively, developers can use the CPUID instruction to determine programmatically whether the execution platform supports AES-NI by examining bit 25 of the ECX register. (For more information, see volume 2A, pages 3–198 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual.)
For more information about the hardware and software architecture associated with Intel AES-NI, see the white paper “Intel® Advanced Encryption Standard (AES) Instructions Set.”
Intel® Secure Key Technology: Enhanced Robustness for Cryptography
With the 3rd gen Intel Core vPro processor platform, developers have the benefit of the industry’s first digital random number generator (DRNG) and the new instruction RDRAND that is used to implement the DRNG in code. Together, the DRNG and RDRAND comprise Intel® Secure Key technology, which improves significantly on previous embedded random number generators (RNGs).
Encryption schemes consist of a mathematical treatment of data using a specialized algorithm and a sequence of random numbers. The security of the overall system depends, in part, on the operation of the RNG that produces the sequence being unpredictable. Back in the 1990s, secure sockets protocol (SSL) was compromised by the use of “random” numbers in the programming that were in reality somewhat predictable.
The difficulty in generating random numbers in a digital environment is that, while the natural world is full of random events, well-designed digital circuits by definition are extremely orderly and deterministic. For years, many Intel® chipsets have overcome that limitation by including an analog, hardware-based RNG. Because that analog circuitry consumed a great deal of power and was somewhat inefficient in terms of chip design, the new digital solution that Intel Secure Key technology provides is a significant advancement.
The DRNG and RDRAND: Implementation
Put simply, the DRNG built into the 3rd gen Intel Core vPro processor platform is based on the use of thermal noise from within the silicon to output a continuous stream of random bits. Various mechanisms are built into the silicon to generate values of the desired size from this data and to continually self-validate the robustness of the overall mechanism.
RDRAND is implemented as part of the Intel® Advanced Vector Extensions (Intel® AVX) instruction set, which is designed to accelerate floating-point intensive operations. It is broadly used for general-purpose applications such as image and audio processing, scientific simulations, and financial analytics. The instruction itself returns a random-number value to the destination register specified as an argument within the invocation. The following are among the other considerations associated with the use of RDRAND:
Bit-size of returned value. The size of that destination register determines the size of the random value that is returned, which may be of 16, 32, or 64 bits.
Carry flag (CF). The CF bit must be examined after invoking RDRAND; a CF value of 1 is typical and indicates that a random value was available; a CF value of 0 is rare and indicates that a random value was not available.
Identifying platform support. The CPUID instruction can determine programmatically whether the execution platform supports RDRAND by examining bit 30 of the ECX register. (For more information, see volume 2A, pages 3–198 of the Intel® 64 and IA-32 Architectures Software Developer’s Manual.)
For in-depth documentation of the hardware and software engineering associated with the DRNG and RDRAND instruction, see the Intel® Secure Key Software Implementation Guide.
Intel Secure Key Technology: Industry Context
Information security is a key application of Intel Secure Key technology, because cryptographic protocols use RNGs for a variety of purposes, such as generating keys and session values. As the SSL example shows, RNGs must be well-designed, or they can become the weak link in an otherwise-robust cryptographic scheme. Intel Secure Key technology provides a programmatically straightforward way to meet this need.
Many classes of general-purpose applications today must demonstrate conformance to specific security standards to be compliant with regulatory guidelines such as the Federal Information Security Management Act (FISMA), Health Insurance Portability and Accountability Act (HIPAA), and the Payment Card Industry (PCI) Data Security Standards. Intel Secure Key technology is engineered with this consideration firmly in mind, so it is compliant with existing standards from international organizations such as the National Institute of Standards and Technology (NIST), American National Standards Institute (ANSI), and Federal Information Processing Standard (FIPS).
In addition to information security uses, the performance and ease of use of Intel Secure Key technology make it well suited to applications that may not involve security issues, but which nonetheless depend on random number generation. For example, Monte Carlo simulations are a very common way to model complex systems in business, engineering, and science. Intel Secure Key technology provides a reliable, robust source for the large collections of random numbers needed for Monte Carlo simulations to be effective. Other programmatic uses of random numbers include communication protocols, gaming, and bulk applications such as hard-disk wiping.
The continuing development of Intel vPro technology offers developers of business software an excellent opportunity to extend new capabilities to their customers. With each generation, these platforms offer greater manageability, security, and power-efficient performance.
By implementing Intel AES-NI and Intel Secure Key technology, software vendors can readily add high-performance information security capabilities to their products. Stronger security without compromise is a winning combination for all concerned.
For more information on the capabilities of Intel vPro technology, visit the
Intel® vPro™ Developer Community