Encrypting the Internet 09/01/10 M. Kounavis, X. Kang, K. Grewal, M. Eszenyi, D. Durham Intel Corporation S. Gueron Intel Corporation and Univ. of Haifa

Problem Space Trends/facts Problem statement Is this possible? 50,000,000 web sites but only 600,000 enable SSL/TLS https://www.google.com Problem statement how do we secure the Internet? encrypt sites authentication everywhere Is this possible?

Anatomy of a TLS Session RSA decrypt: >2 million clocks RSA encrypt client public key server pre-master secret decrypted pre-master secret AES encryption and authentication key encrypted and authenticated data: >2 million clocks encryption is costly

Accomplishment CPUs are now capable of: Symmetric encryption: encrypting packets at line rates Symmetric encryption: New AES instructions (AES-NI) 4-12x speedup Asymmetric encryption: RSA optimizations 40% speedup

Out of Scope Certificate/trust management Malicious software/viruses/worms Privacy breaches at the end-system

What is AES? US Standard for symmetric encryption FIPS 197 128-bit blocks, 128, 192 or 256-bit keys AES round 10 (128), 12 (192) or 14 (256) rounds AES key schedule

AES: Walkthrough a0 a0 a0 invert in GF(28) affine map a0 a0 a4 a8 a12

AES: Walkthrough a0 a0 a0 invert in GF(28) S-box substitution SubBytes() invert in GF(28) a0 a0 a4 a8 a12 a1 a5 a9 a13 a0 a2 a6 a10 a14 a3 a7 a11 a15 affine map a0

AES: Walkthrough SubBytes() example 07 87 3a 1b b4 16 66 c9 1a fd 67 75 d3 f2 d7 2e 2d e4 1c 63 aa 67 6e 29 71 5c 96 19 c8 38 ea a2 44 c6 ff d3 12 43 21 0a b7 51 84 3f a9 a3 a7 a11 a15 a2 a6 a10 a14 a1 a5 a9 a13 a0 a4 a8 a12 SubBytes() example

AES: Walkthrough 1b 07 87 3a 66 c9 b4 16 fd 67 a9 1a d1 5f 75 d3 07 87 byte permutation ShiftRows() 1b 07 87 3a 66 c9 b4 16 fd 67 a9 1a d1 5f 75 d3 07 87 3a 1b b4 16 66 c9 1a fd 67 a9 d1 5f 75 d3

AES: Walkthrough 2 = x 1 3 d1 d8 fd 81 66 cd 1b c5 linear diffusion MixColumns() c5 41 97 16 cd b8 3d ab 81 d6 7c e7 d8 d9 39 bf 1b 07 87 3a 66 c9 b4 16 fd 67 a9 1a d1 5f 75 d3

AES: Walkthrough = AddRoundKey() c5 41 97 16 cd b8 3d ab 81 d6 7c e7 39 bf 1b 07 87 3a 66 c9 b4 16 fd 67 a9 1a d1 5f 75 d3 f2 15 11 01 c9 83 de b1 1e 20 cb 32 d9 00 9a bf 37 54 86 17 04 3b e3 1a 9f f6 b7 d5 01 d9 a3 00 = AddRoundKey()

(combinatorial logic) What is AES-NI? code without AES-NI (table lookups) AES-NI (combinatorial logic)

Also CLMUL, AESIMC, AESKEYGENASSIST The New Instructions ShiftRows() SubBytes() MixColumns() AddRoundKey() InvShiftRows() InvSubBytes() AddRoundKey() AESENCLAST AESENC ShiftRows() SubBytes() AddRoundKey() InvShiftRows() InvSubBytes() InvMixColumns() AddRoundKey() AESDECLAST AESDEC Also CLMUL, AESIMC, AESKEYGENASSIST

Restructuring RSA Big Number Multiply (Any Algorithm) BEFORE Monolithic Montgomery Implementation Big Number Multiply (Any Algorithm) plug any multiplication algorithm here Reduction Using 1.5 multiplies AFTER e.g., 9 by 9 Karatsuba-like Multiplier e.g., ASM Schoolbook Multiplier

TLS 1.2 Combined mode algorithm support (AEAD) encryption, authentication Enables fast AES-GCM implementations We developed the first public domain implementation TLS 1.2 with AES-GCM

AES Instruction Performance 24 clocks 6 clocks 2 clocks1 AES round latency (table lookups) AES-NI latency AES-NI throughput 1AESENC, AESENCLAST, AESDEC, AESDECLAST throughput on Westmere processor Westmere is the codename for the family of 32nm processors based upon the Intel® microarchitecture codename Nehalem

Crypto Algorithm Performance AES-NI: OFF AES-NI: ON 16.1 4.1 19.3 1.3 15.6 1.2 29.5 3.9 AES-128 CBC encrypt AES-128 CTR encrypt AES-128 ECB encrypt AES-128 GCM encrypt (cycles/byte) encryption only encryption + authentication

TLS 1.2 Performance Intel® Core™ i5 661 w/o AES-NI 501 SSL sessions/sec 835 SSL sessions/sec 2.17 million RSA 1024 1216 SSL sessions/sec cost (CPU clocks) 1.34 million AES 2.30 million 1.34 million RSA 1024 0.58 million AES RSA 1024 0.19 million 1.18 million 1.18 million SHA1 SHA1 0.37 million GCM other 0.73 million other 0.73 million 0.73 million other Intel® Core™ i5 661 w/o AES-NI Intel® Core™ i5 661 w/ AES-NI, CBC Intel® Core™ i5 661` w/ AES-NI, GCM Performance tests and ratings are measured using specific computer systems and/or components and reflect the approximate performance of Intel products as measured by those tests. Any difference in system hardware or software design or configuration may affect actual performance. Buyers should consult other sources of information to evaluate the performance of systems or components they are considering purchasing. For more information on performance tests and on the performance of Intel products, visit Intel Performance Benchmark Limitations. Source: Intel Internal measurements using internal benchmarks on an early reference server with two Westmere CPUs: frequency 3.20GHz, single core, single threaded, cache size: 12288 KB; Memory:12 GB; OS: Linux fedora 2.6.27.5-117.fc10.x86_64; session size = 140KB.  As of August 31, 2009. session size = 283712 bytes

Conclusion Substantial crypto performance boost Future work 1(8) cores to saturate 1(10) Gbps links Specialized appliances more expensive Future work RSA 2048/3072 acceleration SHA-3 winning algorithm Public trials Can we encrypt the Internet?

Questions?