Intel stuffs speedy security into silicon
Otellini's 'job one'
Intel Labs has announced two new chunks of test silicon that expand the company's definition of what it considers "job one" in terms of product development.
"I've given our company a charter to make [security] job one," Justin Rattner, director of Intel labs quoted CEO Paul Otellini as saying in an interview earlier this year. Rattner was speaking to reporters at the 2010 Symposia on VLSI Technology and Circuits in Honolulu, Hawaii
"What he was talking about is the increasing attention we're giving to security at various levels in the system," said Rattner. "How can we make our products more robust in the face of attacks of all sorts — viruses, and worms, and rootkits, and all kinds of malware — as well as making them more capable of protecting secrets even in the face of attack?"
One solution to that problem is in a paper that Intel is presenting at VLSI entitled "AES encryption accelerator for content protection". As Rattner explained: "One of the features in the new Westmere processor was something that we call the AES-NI, which is a group of instructions intended to accelerate AES-compatible encryption and decryption. Performance enhancements from AES-NI were in the range of 3 to 10X, but customers are asking for even more improvement."
So Intel labs has developed a 45nm test chip that runs at 53Gbps when performing AES encryption, a level of performance that Rattner claims is five times as fast as any other reported work in the field. In addition to the encryption speed, the test chip can operate at a mere 320mV.
Although Otellini may have recently proclaimed security to be "job one", power savings has held that position at Intel for some years. Rattner made that point explicitly when he (under)stated: "I think generally that you can expect that as we report future circuit research that we'll be both pushing performance as well as striving for increased energy efficiency."
The second security-related paper that Rattner discussed was "On-chip random number generator for key generation," which supports random-number key generation in AES and other cryptographic standards.
Chuckling, Rattner said about random-number generators: "You know, this is kind of a long-debated capability — long-debated at Intel, anyway: the ability to put a very high quality random-number generator in silicon."
Rattner claimed that the on-chip circuitry that his lab has developed has been able to pass the stringent National Institute of Standards and Technology (NIST) tests for true randomness. "The circuit passes all of their tests. This is not a pseudo-random generator; this is a true random-number generator." And, yes, there's still plenty of debate about pseudo-random versus true-random, and not only at Intel.
The on-chip random-number circuitry can run at 2Gbps, consumes a trifling 7mW of power, and is scalable down to 280mV — another marriage of the old and new Intel "job one" contenders. ®
Imitation is the sincerest form of flattery
All hail the wonderful Intel innovations which are a copy of what Via delivered 5+ years ago. My 6 year old MS1000 which I use for a firewall can do that and the more recent ones can do more - RSA, RNG, etc.
Let's innovate!!! By copying from companies you bulldoze down through monopolistic practices. Viva the Intel way!!!
Am I confused ...
... but isn't it incorrect to use 'pseudo' as the opposite of 'high-quality' when discussing random number generators? I thought there were such things as high-quality pseudo RNGs, and that the only RNGs that weren't 'pseudo' used a real source of randomness, like quantum effects (e.g. elecrical noise).
"What he was talking about is the increasing attention we're giving to security at various levels in the system, said Rattner. How can we make our products more robust in the face of attacks of all sorts — viruses, and worms, and rootkits, and all kinds of malware — as well as making them more capable of protecting secrets even in the face of attack?"
Here I was thinking that one can't fix a broken OS in silicone. The cpu doesn't really know the intent of the code it's executing. Executing a virus is not a bug if the OS allowed it in the first place, no?
One area which could use improvement is a mechanism to lock down the bootloader such that it cannot be modified - even by the OS, without user approval (requiring either physical, or network authentication). This way, even a vulnerable OS could be restored to a known state simply by rebooting.
I'm all for the RNG too!
Re: Brute force
Crypto that can be brute-forced (i.e. WEP) most likely does not even need specialized hardware. But if there are 2^512 possibilities, a 10x speed boost won't matter that much.
All hail VIA - not!
VIA is a has-been (or a "never-was"?) because they produced crappy CPU's, slow and bug-ridden chipsets, S3-derived graphics silicon that even Intel beats, and worst of all, BSOD guaranteed drivers. Good riddance.
Innovations by VIA - I can't name any, can you?
Intel is not innovating per se - hardware encryption is not exactly a new thing, they are just claiming they have the fastest AES encryption silicon. That's not copying.