Day: 12 November 2020 | Electric Monk

Archive for November 2020

AES and AES-NI

November 12, 2020 IT No comments

What is AES?

The Advanced Encryption Standard Instruction Set and the Intel Advanced Encryption Standard New Instructions allows specific Intel/AMD and other CPUs to do extremely fast hardware encryption and decryption. AES (Advanced Encryption Standard), is a symmetric block cipher which means that blocks of text which have a size of 128 bits are encrypted, which is the opposite to a stream cipher where each character is encrypted one at a time. The algorithm takes a block of plain text and applies alternating rounds of substitution and permutation boxes to it which are separate stages. In AES, the size of each box is 128, 192 or 256 bits, depending on the strength of the encryption with 10 rounds applied for a 128-bit key, 12 rounds for the 192-bit key, and 14 rounds for the 256-bit key, providing higher security.

The figure below shows that potential key combinations exponentially increase with the key size. AES-256 is impossible to break by a brute force attack based on current computing power, making it the strongest encryption standard. However longer key and more rounds requires higher performance requirements. AES 256 uses 40% more system resources than AES 192, and is therefore best suited to high sensitivity environments where security is more important than speed.

AES Block Cipher Modes

There are different AES block cipher modes that are part of AES.

Electronic Code Book

The simplest block cipher mode is Electronic Code Book. This cipher mode just repeats the AES encryption process for each 128-bit block of data. Each block is independently encrypted using AES with the same encryption key. For decryption, the process is reversed. With ECB, identical blocks of unencrypted data, referred to as plain text, are encrypted the same way and will produce identical blocks of encrypted data. This cipher mode is not ideal since it does not hide data patterns well.

Cipher Block Chaining

A newer block cipher mode was created called Cipher Block Chaining. CBC’s aim is to achieve an encryption method that encrypts each block using the same encryption key producing different cipher text, even when the plain text for two or more blocks is identical. Cipher Block Chaining addresses security weaknesses with ECB.

AES-XTS Block Cipher mode

AES-XTS Block Cipher Mode is a new block cipher mode and designed to be stronger than other modes. It eliminates potential vulnerabilities from sophisticated side channel attacks used to exploit weaknesses within other modes. XTS uses two AES keys. One key performs the AES block encryption; the other is used to encrypt what is known as a Tweak Value. This encrypted tweak is further modified with a Galois polynomial function (GF) and XOR with both the plain text and the cipher text of each block. The GF function ensures that blocks of identical data will not produce identical cipher text. This achieves the goal of each block producing unique cipher text given identical plain text without the use of initialization vectors and chaining. Decryption of the data is carried out by reversing this process.

What is AES-NI?

Intel AES New Instructions (Intel AES-NI) is a new encryption instruction set which contains improvements to the AES algorithm and accelerates the encryption of data in the Intel Xeon processor family and the Intel Core processor suite. AES is a symmetric block cipher that encrypts/decrypts data through several rounds. It is part of the FIPS standard.

There are seven new instructions. The instructions have been implemented to perform some of the complex and performance intensive steps of the AES algorithm. Hardware is used to accelerate the AES algorithms. Intel say that AES-NI can be used to accelerate the performance of an implementation of AES by 3 to 10x over a total software implementation.

How does it work?

A fixed block size of plain text is encrypted several times to produce a final encrypted output. The number of rounds (10, 12, or 14) used depends on the key length (128, 192, or 256). Each round feeds into the following round. Each round is encrypted using a subkey that is generated using a key schedule

What are the six new instructions?

The new instructions perform several computationally intensive parts of the AES algorithm using fewer clock cycles than a software solution.

Four of the new instructions accelerate the encryption/decryption of a round
Two new instructions are for round key generation.

Improved security

The new instructions also improve security by preventing side channel attacks on AES. Encryption and decryption are performed completely in hardware without the need for software lookup tables. By running in data-independent time and not using tables, they help in eliminating the major timing and cache-based attacks that target table-based software implementations of AES. In addition, AES is simple to implement, with reduced code size, which helps reducing the risk of introducing security flaws, such as difficult-to-detect side channel leaks.

Most of the cloud providers such as Amazon, Google, IBM, Microsoft offer instances equipped with this Intel extension and use it as security feature in their products. AES can be used in applications where confidentiality and integrity is of highest priority. If cryptographic strength is a major factor in the application, AES is the best suited algorithm.

Search

Search for:
Calendar

November 2020

M T W T F S S

1

2 3 4 5 6 7 8

9 10 11 12 13 14 15

16 17 18 19 20 21 22

23 24 25 26 27 28 29

30

« Oct Dec »
Social Media and RSS
vExpert
Recent Posts
- Introduction to Artificial Intelligence November 12, 2024
- Windows Virtualization Based Security June 8, 2024
- SNMP explained January 29, 2023
- Using tcpdump December 14, 2022
- Vdbench August 7, 2022
Archives
- November 2024 (1)
- June 2024 (1)
- January 2023 (1)
- December 2022 (1)
- August 2022 (1)
- February 2022 (2)
- October 2021 (1)
- July 2021 (1)
- May 2021 (1)
- March 2021 (1)
- February 2021 (1)
- January 2021 (1)
- December 2020 (1)
- November 2020 (2)
- October 2020 (1)
- August 2020 (1)
- July 2020 (2)
- June 2020 (2)
- April 2020 (1)
- March 2020 (2)
- December 2019 (1)
- November 2019 (2)
- August 2019 (1)
- July 2019 (1)
- May 2019 (1)
- April 2019 (1)
- February 2019 (1)
- January 2019 (2)
- December 2018 (1)
- November 2018 (1)
- October 2018 (1)
- August 2018 (1)
- June 2018 (1)
- April 2018 (1)
- March 2018 (1)
- January 2018 (1)
- November 2017 (1)
- October 2017 (1)
- September 2017 (1)
- August 2017 (1)
- June 2017 (1)
- May 2017 (1)
- April 2017 (2)
- March 2017 (1)
- February 2017 (1)
- January 2017 (1)
- December 2016 (1)
- November 2016 (2)
- September 2016 (1)
- August 2016 (2)
- July 2016 (2)
- May 2016 (2)
- February 2016 (3)
- January 2016 (3)
- December 2015 (3)
- November 2015 (1)
- October 2015 (2)
- September 2015 (2)
- August 2015 (2)
- July 2015 (2)
- June 2015 (3)
- May 2015 (2)
- April 2015 (1)
- March 2015 (2)
- February 2015 (2)
- January 2015 (2)
- December 2014 (3)
- November 2014 (2)
- October 2014 (1)
- September 2014 (2)
- August 2014 (2)
- July 2014 (2)
- June 2014 (3)
- May 2014 (1)
- April 2014 (1)
- March 2014 (6)
- February 2014 (2)
- January 2014 (2)
- December 2013 (1)
- November 2013 (3)
- October 2013 (5)
- September 2013 (1)
- August 2013 (2)
- July 2013 (6)
- June 2013 (4)
- May 2013 (5)
- April 2013 (4)
- March 2013 (28)
- February 2013 (53)
- January 2013 (63)
- December 2012 (13)
- November 2012 (11)
- October 2012 (13)
- September 2012 (6)
- August 2012 (16)
- July 2012 (22)
- June 2012 (16)
- May 2012 (19)
- April 2012 (10)
- March 2012 (13)
- February 2012 (32)
- January 2012 (25)
Categories
- AI (1)
- Benchmarking (3)
- Certification (164)
  - Microsoft (1)
  - VCAP5 DCA (155)
    - Objective 1 Storage (33)
    - Objective 2 Networking (21)
    - Objective 3 Tuning and Optimisation (26)
    - Objective 4 Business Continuity (11)
    - Objective 5 Operational Maintenance (15)
    - Objective 6 Advanced Troubleshooting (28)
    - Objective 7 Secure a vSphere environment (15)
    - Objective 8 Perform Scripting and Automation (8)
    - Objective 9 Advanced vSphere Installation (8)
  - VCP5-DCV (1)
- Cisco (1)
- Command Line (8)
  - PowerCLI (3)
  - Robocopy (1)
  - vCLI (1)
- Flex 10 (1)
- FreeNas (2)
- IMM/RSA (1)
- IPv6 (2)
- IT (38)
- Kubernetes (1)
- McAfee Products (1)
- microsoft (89)
  - Active Directory (7)
  - ActiveSync (1)
  - App-V (2)
  - Auditing (1)
  - BgInfo (1)
  - CA (1)
  - Clustering (6)
    - Microsoft Failover Clustering (2)
    - SQL Failover Clustering (1)
  - DFS (5)
  - DHCP (1)
  - Disk Quotas (1)
  - DNS (1)
  - Excel (1)
  - Forest Trusts (1)
  - Group Policy (3)
  - Hyper V (1)
  - Kerberos (1)
  - NAP (1)
  - Networking (2)
  - NLB (2)
  - NTFS (1)
  - Performance (3)
  - PowerShell (5)
  - Process Explorer (1)
  - Registry Mods (1)
  - RemoteApp (1)
  - Roaming Profiles (3)
  - ROUTE Command (1)
  - Shrinking Drives (1)
  - SQL Server (6)
  - System Volume Information (1)
  - Technet Labs (1)
  - Terminal Services (7)
  - Time Synchronisation (1)
  - UAC (1)
  - Upgrading Windows Editions (1)
  - WFAS (1)
  - Windows Firewall (1)
  - Windows Server 2012 (9)
  - XP Mode (1)
- Mobile Telephony (1)
- Networking (3)
- Oracle RAC (1)
- Personal (8)
- Security (1)
- SNMP (1)
- SRM (1)
- Storage (6)
- Technology (2)
- VdBench (1)
- Viso (1)
- VMware (206)
  - Active Directory Integration (1)
  - AD LDS (1)
  - Antivirus (1)
  - AutoDeploy (4)
  - Autolab (1)
  - Blogs (1)
  - Certificates (1)
  - Cloning (2)
  - Cluster Admission Control (1)
  - Clustering (3)
  - Compatibility Guide (1)
  - Database (6)
  - Documentation Center (4)
  - DRS (1)
  - ESXTOP + RESXTOP (4)
  - EVC (1)
  - F5 Load Balancer (1)
  - Guest O/S Customization (1)
  - HA (7)
  - Host profiles 6.5 (2)
  - iPad Knowledge App (1)
  - Labs (1)
  - Licensing (2)
  - Logs (3)
  - Monitoring (15)
  - NetFlow (1)
  - Networking (10)
  - NLB (1)
  - PowerCLI (4)
  - PSA and NMP (1)
  - RDM (1)
  - Resource Pools (1)
  - SMP (2)
  - Snapshots (1)
  - SSO (2)
  - Storage (32)
  - Time Syncing (1)
  - TPS (1)
  - UMDS (2)
  - Upgrading (3)
  - USB Devices (1)
  - VAAI (1)
  - vApps (1)
  - VASA (1)
  - vCenter (7)
  - vCheck (1)
  - vCLI (1)
  - VCSA 6.5 (2)
  - vMA (1)
  - vMotion (2)
  - VMware Labs (1)
  - VMware Tools (1)
  - VMware View (1)
  - vRA (13)
    - F5 Load Balancer with vRA (1)
    - vRA Certificates (1)
    - vRA Distributed Deployment v6.2.3 (3)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
    - vRA Small Deployment v6.2.3 (7)
      - Part 1 (1)
      - Part 2 (1)
      - Part 3 (1)
      - Part 4 (1)
      - Part 5 (1)
      - Part 6 (1)
      - Part 7 (1)
    - vRA7 (1)
      - vRA7 Minimal Deployment (1)
  - vRealize Log Insight (3)
    - Management Packs (1)
    - vCO Monitoring (1)
  - vROps (1)
    - Replacing Certificates (1)
  - VSA (1)
  - vSAN (8)
    - HCIBench (3)
    - vSAN Stretched Cluster (1)
  - vSphere 6 (10)
    - Decommissioning vCenter and PSC (1)
    - HTML5 Web Client (1)
    - JXplorer (1)
    - Platform Services Controller (5)
      - Enhanced Linked Mode (1)
      - High Availability (1)
      - Multisite (3)
    - PSC Replication (1)
    - Registering Orchestrator in vSphere (1)
  - vSphere Web Client (1)
- Web (1)
Tags

2012 ad AutoDeploy Certificate certification cluster Clustering DB DFS DRS esxi firewall gpo HA I/O iSCSI Labs logs LUN memory Microsoft NIC Performance powercli powershell PSA PSC RDM RDS sql storage Storage vMotion troubleshooting tuning upgrade vCenter vDS vm VMDK VMware vRA vro VSAN vsphere6 vSS
Fatcow Webhosting

Archive for November 2020

AES and AES-NI

Electric Monk

Don't think about what can happen in a month. Don't think what can happen in a year. Just focus on the 24 hours in front of you and do what you can to get closer to where you want to be :-)

Search

Calendar

Social Media and RSS

vExpert

Recent Posts

Archives

Categories

Tags

Fatcow Webhosting