Latest Intel processor security features

Intel has released an update version of their "Nehalem" processors, called "Westmere". The flagship processor, "Westmere-EP" has 6 cores running at 3.33 GHz, and can be purchased for desktops (Core i7 980x) or servers (Xeon 5600 series). Low-end Westmere variants are available for notebooks and desktops as well (Core i3).

Westmere contains several security features beyond what Nehalem had, so I thought I'd discuss them here.

AES speed

The press echoes Intel's claims that they speed up AES by 9 times over software implementations, but that's not completely true. It's complicated.

You only get that performance increase when you can encrypt (or decrypt) multiple blocks at a time. That is because the instructions have a high (6 clock cycle) latency. When encrypting a block, each instruction depends upon the results of the previous instruction, so the processor must stop and wait. When encrypting multiple blocks in parallel, the instructions for encrypting different blocks don't depend upon each other, and therefore the instructions can operate in parallel.

Some uses of AES "chain" blocks together. It uses data from the previous block in order to encrypt the next block of data. This prevents the CPU from executing the AES instructions in parallel, and is a huge performance loss. This is the default mode for SSL.

Disk encryption products typically don't chain blocks together, because software often reads from the middle of files ("random access"). You wouldn't want to have to decrypt the file from the start in order to read bytes from the end of the file.

Thus, if want use the new AES instructions for TrueCrypt or BitLocker disk encryption, you'll probably get around a 9 fold increase in encryption performance. However, if you want to use these new processors for SSL website hosting, you are only likely to get a 3 fold increase in encryption performance.

Note that in both cases, AES encryption is only part of the web hosting or disk encryption, so overall performance will not change as much.

AES security

A software implementation accelerates encryption by using lookup tables in memory. Each key causes a different pattern of memory lookups. Hackers can write software such that even though it's running on a different virtual machine, can still detect the pattern of memory access and thus recover part of the AES encryption key.

Intel's new AES instructions prevent this. It uses internal calculations in the CPU rather than lookup tables. The memory access pattern is the same, regardless of the key.

This is largely a theoretical attack. In the typical case of multiple customers sharing hardware for hosting websites, SSL generates a new key for every session, which are too short to make key recovery practical. However, in cryptography, "theoretical" attacks are frequently proven practical. Therefore, the new instructions are an important improvement.

SHA-3 selection

The government is currently looking for a new hash standard to replace SHA-1, which has proven to be weak.

Some have proposed algorithms that can be easily implemented in software, like Skein.

Other have proposed algorithms that are based on the same building blocks as AES. This means that while they may be slower on many processors, they will be faster on the latest Intel processors (and other processors that similarly contain AES features). Experiments with AES-like hash algorithms show that they can be sped up 5 to 10 times with the new Intel instructions.

Now that Intel is shipping these new processors, it might prejudice the SHA-3 selection committee toward one of the AES-based proposals.

Trusted Execution (TXT) and vPro

Intel added TXT features to the previous generation of processors (Core 2), but they were missing from the current generation (Nehalem, Core i7). The Westmere processor now includes the same TXT features as Core 2.

Trusted Execution protects against some specific hacker attacks. For example, "full disk encryption" products require the user to enter a password before the system can boot from the encrypted disk. In theory, a hacker could change the bootloader to first steal the password before booting the system. TXT (in theory) prevents the bootloader from being changed.

Another attack is to hook up a hostile device to the Firewire port that reads the contents of memory to a flash drive, or installs a virus on a running system. In theory, TXT features (VT-d) prevent this by restricting the range of memory the Firewire hardware can access this.

Fiddling with hardware, such as the sound or video card, has been one way that software running on a virtual machine could break into another virtual machine. TXT makes this more secure, by doing a better job of isolating hardware.

A lot of this is "theory". While it certainly makes things harder for hackers, researchers have found ways around some of the technology.

Conclusion

Corporations should take a look at "vPro" laptops and desktops, in particular, with "full disk encryption" in mind. TXT will protect the bootup processor for BitLocker, and the new AES instructions will accelerate encryption.

Web-hosting providers will like the AES encryption acceleration and greater isolation of virtual machines. The 6 cores of "Westemere" over the 4 cores of "Nehelem" processors are also a clear benefit. These processors use the same sockets, so web hosters can easily swap out the old processors for the new ones.

Notes

Intel has a whitepaper called "Intel Advanced Encryption Standard (AES) Instructions Set". It has good information, including sample implementations of AES using the new instructions.

DJB has a paper benchmarking optimized software AES "New AES software speed records". He gets 10.57 clocks-per-byte in his optimized software for the Core 2 processor, compared to (my guess) of 3.75 clocks-per-byte for the new AES instructions (in non-parallel modes like CBC). This implies a 3-fold increase for the new AES instructions.

The paper "The Intel AES Instructions Set and the SHA-3 Candidates" looks at how these new instructions might accelerate SHA-3 candidates. It also guesses that the core AES instructions have a 6-cycle latency. From this, I guess that the new AES instructions will encrypt data at 3.75 cycles per byte (each instruction executes a full AES round, each block requires 10 rounds, and there are 16 bytes per block, thus 6 * 10 / 16 = 3.75).

Security researcher Joanna Rutkowska has found several issues with TXT that are worth reading about. You should also look at the rebuttal to her points as well. Overall, it doesn't mean TXT is worthless; it still makes it harder to hack a system when deployed correctly.

Sniffing my Gmail connection, I see that it negotiates AES in chaining mode:
Secure Socket Layer
TLSv1 Record Layer: Handshake Protocol: Server Hello
Content Type: Handshake (22)
Version: TLS 1.0 (0x0301)
Length: 74
Handshake Protocol: Server Hello
Handshake Type: Server Hello (2)
Length: 70
Version: TLS 1.0 (0x0301)
Random
Session ID Length: 32
Session ID: F71EC579BD9E19F3EA64CAE5F78D3B2...
Cipher Suite: TLS_RSA_WITH_AES_256_CBC_SHA (0x0035)
Compression Method: null (0)

AnandTech and Tom's Hardware have benchmarks of the new AES instructions (using the "Clarksdale" desktop processor instead of "Westmere", but the performance should be essentially the same).

Tech Savvy House Hunting?

As if this month weren't busy enough, I am going through the all too rare joy of house hunting in the Bay Area. Needless to say, anything that can make my job easier will be fantastic.

Here are my requirements. I want to look through real estate websites and save listings. Then, I'd like to access them on my phone while I'm driving (I mean from the passenger seat!) I would like these listings to be arranged on a map so I can travel efficiently. When I get to a listing, I want to edit the info I have on it and include new pictures and text. After I'm done having the most fun a person can have sober, I would like to go home and have all of this information populated in one place. Extra points for geotagging in a useful way.

I have an iPhone, so that's my test machine for this experiment. I played with all the apps people suggested, as well as a fresh test of things I've used in the past, just to be fair.

Realtor.com App - This is actually really close to what I need. Their website has a pretty thorough selection of houses for sale. When I log in, I can tag Saved Listings, and it remembers reliably. On the phone, I can search for new listings or get my saved list populated on a location map. I can even get driving directions or push the address to Google Maps. For each saved listing, I can give it a star rating and write notes. It also has an impressive two part drop down list of common phrases to make notes painless. So why, oh why, can I not add my own pictures to my notes? Other than that one stickler's detail, I have to say kudos to Realtor.com for writing a robust, useful app!

But I really like taking pictures, so I press on...

Evernote App - The most popular suggestion was Evernote. I actually wasn't using it for anything before, so you can trust that my review will be completely biased. This app has a million features, but for my purposes it does require a lot of planning before I go out. Since the real estate sites are not exporting their listings to Evernote, I basically have to copy/paste them into a "note." Since I'm not using Evernote for anything else, I decided that each listing should have its own note, and the address will be the title of the note. I noticed that the app is slow, and I'm not sure that's a feature when I'm on the road trying to type with one eye (from the the passenger seat! Safety first.) Each note takes 10 seconds to load with pictures. As an aside, I noticed that the copy on my laptop was instantly synced with the copy of the note on my phone as I was writing. That I don't really care about. So after all that, I opened a copy/pasted listing note with the pretty pictures and informative text, and tried to add to it. The choice to either "Append or Copy" the note made absolutely no sense to me, so of course I deleted some of my text accidentally. Then, the icing on the cake was when I discovered (or rather didn't) that there's no way to add new pictures to an existing note! This is a dealbreaker, folks! Suddenly "a million features" felt more like "nothing special" and I moved right along.

But let us not forget, there is hope!

Flickr App - This one was tricky to find, but I believe the one published by Yahoo is what all the fuss is about. After getting sidetracked by the opening screensaver for like an hour, I logged in. If you're comparing brass tacks, I suppose you could say the Flickr app has the exact same functionality as the Evernote app for this problem. I can take a picture and associate a description, and then find the collection on a website later. The added bonus here is supposed to be the geotagging, which would be a lot more accurate if I actually was at 0°0'00"N, 0°0'00"W, (but this isn't a blog post about house boats.) Other than confirming that Location Services is turned on, I never really figured out how to fix that. Perhaps the applegoogle is just hatin' on the Yahoo Maps ;) Even if it did work, however, there isn't a map function for the phone, so I have to keep looking.

Sometimes the best ideas come from people that didn't mean it.

Tweetie App - This is not meant to be a plug for Tweetie specifically, but it is the Twitter app that I use and love. I imagine this hair-brained scheme will work with any Twitter enabled device. So if I have to choose only three out of the five golden requirements, then maybe posting live pictures and descriptions from my phone to the web is as good as any. Plus, there's a certain excessive quality to this solution that is appealing. So I haven't actually tried this, but the idea is to sign up for a Twitter account called "House Hunting 2010" and dump all of the photos and comments in a stream of consciousness. I'll post pics using a service with geo-goodness like BrightKite. The posts will all be in one place, even if the map isn't, and really after I get home I don't need the spots all on one map. I'll have to think for a while about the privacy concerns, but I bet this is the perfect time to try out that "security through obscurity" strategy I keep hearing so much about.

The things I do for science.

Google Maps - Even though I really didn't want to because I was sure it was going to be a disaster, and technically it's not even an iPhone app, in the interest of science I created a map on Google Maps. If I were just using the laptop, this solution would be a serious contender since it automatically ties Google search results with each pin on the map. It still has the problem of requiring cut/paste from real estate websites, but really the main concern is will these maps even open on a phone? I won't burst your bubble, in case you're still holding out for a happy ending.

So perhaps there's something to be said for your first instinct.

The best kind of science is the kind that validates what you're already doing. I'm going to continue to use the Realtor.com app for most of my house hunting activities. The major question is which strategy will I use to take, tag, and post new pictures? I actually like the idea of iPhoto, since I already have it and I've given up on a sophisticated phone solution. Unfortunately the location service is wrong about half the time within 2-4 blocks. That's probably not sensitive enough for my purposes. So I should choose the quickest way to take a photo and then add a description. Sounds like I'll need more testing... any suggestions?