AES Encryption: How To Secure The Enterprise

Security is a top IT concern. This continues to be true as data centers adopt virtualization and cloud technologies.  As the attackers shift to more criminal –based and as regulations require explicit security steps like encryption and reporting, Intel security technologies can really help protect both data in flight, data at rest, and data in applications.  Intel® AES-NI, when rightfully provisioned on the web servers, can assist in removing the performance overhead associated with SSL/TLS transactions used in on-line trading, on-line banking, and ecommerce. Since the easiest place for attackers to intercept is via emails, we urge you to encrypt emails. Also encrypt your drives, encrypt databases, encrypt virtual machines, and encrypt whenever and wherever you can to build defense in depth! Be sure to use AES-NI to make that encryption faster, easier, and stronger.

Let’s look at the faster side of things. In a secure transaction like openSSL, first there’s the RSA asymmetric handshake to establish authentication, followed by AES exchange of bulk data, then followed by SHA integrity checking. AES-NI speeds up the AES slice by more than 10x and speeds up a single openSSL transaction by more than 2x. In an application environment, according to Amdahl’s law, the speedup will be much less and we have seen that a web banking workload can support 23% more simultaneous user transactions on an Intel® Xeon® 5600 series compared with Intel® Xeon® 5500 even without encryption. AES encryption details are available for download.

Intel® AES-NI makes encryption faster by alleviating the need for add-in cards, additional discrete cryptographic silicon and easier because it’s built into the processor.  Stronger meaning there’s no more table lookups like in the software-based algorithm where memory/cache search patterns can lead to shortened key search space.  The hardware instructions based execution reduces vulnerability to side-channel attacks.

Intel® AES-NI is great, but how to make sure the web server is in fact executing AES when you type "https://"? There are a slew of other algorithms out there like RC4/MD5 which is widely used with XP today. The selection of cipher algorithm between the client and server is much dictated by the OS, except in the case of Firefox.  As win7 install base grows, AES will be at the top of the default cipher list. In addition, on the client and the server, using gpedit from the command window, in administrative templates, network/SSL configuration settings, select TLS1.0 and above is a sure way to establish an AES-based secure transaction. If both endpoints, the client and server, are Intel® Xeon® 5600 series (code named Westmere-EP), then voila, you have an AES-NI assisted transaction! Newer Linux builds have openSSL with AES-NI distribution and use $openssl ciphers -v 'AES:ALL' to ensure AES is at the top of the cipher list. The details of how to provision a Windows and Linux web server for Intel® AES-NI encryption are now available in a whitepaper.

In summary, Intel AES-NI helps better protect platforms and data and this helps with compliance that requires explict encryption and reporting.  We urge you to encrypt everywhere, take advantage of AES ciphers, and use Intel® Xeon® 5600 series with built-in AES-NI capabilities to make it faster and stronger. More security deployed, makes for more secure data centers!