Technology Desktop trends shrink to small form factors Integrated CPU cryptography acceleration secures small computers

By J. Scott Gardner

Security is becoming an unconditional requirement for even the smallest adoption of digital signatures, of embedded systems. New cryptography support is now available in a secure system must implement the form of on-CPU hardware and Operating Systems (OSs) APIs. larger hash functions. After 2010, These implementations save size, power, and cost while increasing the NIST has specified that federal performance of cryptographic functions. agencies should no longer use SHA-1 and must migrate to the more intensive SHA-2 family. 3. Advanced Encryption Cipher: For embedded systems designers, spare What does secure computing Advanced Encryptionly Standard CPU cycles quickly become a precious really mean? (AES)n replacing Data Encryption resource as the software workload seem- While government agencies have created Standard (DES) and Triple DES ingly always grows to double the original rigorous definitions for secure systems, O(3DES). A secure cipher lies at the prediction for the system. Many small commercial products vendors have takent heart of any cryptography system, form factor products operate in environ- several marketing liberties when making and AES has emerged as required ments that require security features for claims about security. With i then new technology for secure systems. protecting information, yet the protection industry focus for a morer disciplined Many small form factor products level often has to be scaled back to free approach to security,P any definition of are used in networking applications up compute resources for the primary secure computing should be evaluated that require multiple secure sessions. software tasks. In the past, designers for three broadle computing categories: One of the more popular protocols, could cut corners with security features random number generation, secure hash- Internet Protocol security (IPsec), given that many nongovernmental cus- ing functions,g and cryptographic ciphers. allows an encrypted message payload tomers viewed security as a “check-box” inThe National Institute of Standards and or fully secure packets (encrypting item and didn’t understand the stagger- Technology (NIST) provides quantitative all header information as well as the ing complexity that differentiates Sgood testing methods for evaluating the follow- payload). Now that AES is replacing implementations. Of course, rthe system ing operations: DES and 3DES, AES-encrypted software developers aren’to given enough sessions will quickly overload soft- time in development schedules to imple- 1. Random numbers: Pseudorandom ware implementations. To support ment and verifyF robust cryptographic may not be good enough. The multiple IPsec streams, small form algorithms. evolving baseline for any secure factor products will need to integrate implementation should include hardware acceleration for AES. But now, increasing unconditional the fast generation of numbers that requirements for secure computing are exhibit high degrees of random- Cryptographics move on chip causing a seismic shift in the industry. ness, far beyond the pseudorandom Until now, designers with security needs The good news for system developers numbers from lightweight software have incorporated dedicated security hard- is that mainstream CPUs are incorpo- algorithms. Good random numbers ware in the form of either a fixed-function rating cryptographic function hardware are critical for generating truly secure device or a specialized communications acceleration, eliminating most of the encryption keys. While software processor with cryptographic features. performance penalties that result from algorithms attempt to create random But this approach has disadvantages in providing more than token security fea- numbers by sampling system events cost, power, size, and system efficiency. tures. Instead of being forced to write low- (keystrokes, network activity, timer In a 2006 report from The Linley Group, level code to enable security hardware, values, and others), enough determin- “A Guide to Security and Content Proces- software developers gain transparent ism often remains in the algorithms sors,” Fifth Edition, volume prices range access to CPU acceleration through stan- to reduce the randomness of the from $85 for the SafeNet 1842 to $700 for dard cryptographic API calls. As newer values. Hardware implementations the Cavium Nitrox II 2800, while power CPUs with on-chip cryptographic measure on-chip circuits that vary consumption ranges from 5 W to 15 W. acceleration become available, embed- with electronic noise, resulting in Adding another chip or daughterboard ded system designers can access the PC extremely high entropy. has limitations that transcend the obvious ecosystem with built-in security APIs 2. Secure hash functions: NIST cost barrier. Most small form factor for all major OSs. The simplified soft- moving beyond Secure Hash products still require a general purpose ware model, coupled with low-cost CPU Algorithm 1 (SHA-1). Hashing processor, and the system architec- acceleration, ensures that real security algorithms are used in many cryp- ture often transfers data multiple times will finally become pervasive in small tographic tasks, including random between the CPUs, system bus, and form factor embedded systems. number generation. With the rapid memory subsystems. The software model

PC/104 and Small Form Factors ©2007 OpenSystems Publishing. Not for Distribution. can become quite complicated, and cessors were one of the first x86 CPUs to mates that AES cryptography requires system designers often must write their integrate cryptographic acceleration (see 117 CPU clocks per byte, in dramatic own low-level drivers to fit the external sidebar), RISC CPUs are now promoting contrast to a fully integrated x86 CPU cryptographic hardware into the memory secure computing with a combination of solution that takes 1.5 clocks per byte. maps, direct memory access, and inter- hardware and software features. In the rupt request architecture. Freescale i.MX family of multimedia Accelerating the OS application processors, for example, the The enormous software ecosystem is Integrating cryptographic functions on i.MX31 runs software cryptographic one of the unchallenged advantages of the CPU reduces size, power, and system algorithms in an ARM11 core, dedicating the x86 architecture. Every major desk- cost while improving system efficiency hardware resources to physical security top and embedded OS now has a set over off-CPU solutions. While VIA pro- for storing keys in RAM. Freescale esti- of cryptographic primitives in an API

PADLOCK

PadLock – cryptography for free In 2002, VIA’s Centaur design team led by Glenn Henry began n The CPU measures the random frequency of integrating cryptographic acceleration on all its CPUs under free-running ring oscillators, autonomously filling the VIA PadLock initiative. The accelerators piggyback on the a queue with new random numbers lfory software to main processor pipeline, allowing hardware engines to add access. These ring oscillators nproduced better less than a millimeter of silicon area. randomness than traditional approaches that measure diode noise. O Unlike dedicated, slow ASICs, these on-chip cryptographic n The SHA-256 hardwaret accelerator integrated on-chip is engines operate at the same multi-GHz clock speeds as the rest part of the SHA-2 family. of the circuit-optimized pipeline. A cryptographic operation is n Accordingin to independent testing groups, the on-chip launched with a single instruction that can be accessed with AESr hardware engine is fast enough to remove Ring 3 privileges. This unified programming model allows Pcryptography as the performance bottleneck (as much straightforward software support, eliminating thousands of as 80 times faster than software), allowing networking lines of code when compared to software cryptography.l e performance to scale with the speed of the memory subsystem. Figure 1 shows the VIA C7 block diagram. The C7g processor is the latest VIA x86 family and implementsin on-chip the three For more information, download the PadLock whitepaper at critical secure computing functionsr S described earlier: www.via.com.tw/en/initiatives/padlock/. Fo

Figure 1

PC/104 and Small Form Factors ©2007 OpenSystems Publishing. Not for Distribution. Technology Desktop trends shrink to small form factors

library that relieves software writers VoIP sessions, potentially requiring AES from the mathematical complexity of to encrypt packets. Each node of the cryptographic algorithms. In addition to is part of a secure network that uses the CryptoAPI in , software devel- temporal, symmetric AES encryption and opers can access cryptographic func- certificated key exchange to ensure data tions in Java and the various flavors of is secure and only gets routed through Microsoft Windows, including Windows trusted nodes. The MeshBox uses hard- CE, Embedded XP, and . ware encryption to maintain a secure wired backhaul with the network hub. The OS provides a mechanism for Without hardware acceleration, the node enabling cryptographic function hard- throughput would be severely limited. ware acceleration. Some OSs require a Software Development Kit (SDK) from The future for small, secure the hardware vendor to install accelerated computing versions of the cryptographic functions. The adoption of secure computing has While Linux allows the developer to build accelerated as competitors have begun an optimized kernel with the latest APIs, to use robust security as a differentiating ly a Windows environment uses dynamically feature. Recognizing these trends, Intel n linked libraries that call cryptography ser- has announced that its forthcoming vice providers. While any API can add a Tolapai processor, which is targeted at O substantial amount of software overhead, embedded systems, will have securityt Figure 2 supporting hardware acceleration does features. While few details have been not require any code changes for the pro- made public, Intel has access toi - grammer. Java cryptography presents one graphic technology from its developmentr example of a software-intensive environ- of XScale network P processors. Initial J. Scott Gardner ment, and Java developers have reported Intel products likely will use a multichip is an engineer and a 20 times speed-up with several CPU package withle a dedicated security chip consultant who cryptography-accelerated applications. on the CPU system bus. This architecture began his career may g introduce some system overhead, 25 years ago An example: inbut Intel will eventually integrate the designing micro- mesh networking device security functions onto the CPU silicon. processor-based One interesting application of secure Scom- To remain competitive in embedded mar- systems. He has puting in a small form factor systemr comes kets, AMD likely will be forced to offer served in various marketing and man- from a British companyo that develops security-enhanced CPUs as well. agement roles in the semiconductor applications for wireless mesh networking. industry, most notably during 10 years A mesh topologyF allows users to seam- With the proliferation of hardware- at IDT. He has recently held executive lessly move within the mesh coverage area, accelerated security features from more staff or board positions at several maintaining a constant wireless network RISC vendors and all three x86 CPU sup- startups and continues to consult part connection to the closest node on the mesh. pliers, software developers will be able time. Scott received a BS in Electrical LocustWorld (www.locustworld.com) to select robust security as the default Engineering from the University of developed an access point on a VIA code path. As users have learned more Kansas and an MBA from Santa C3-based Mini-ITX board. about the shortfalls of existing security Clara University. implementations, commercial customers The MeshBox (see Figure 2) uses standard have begun to demand the same level of 802.11 hardware and allows for secure sophistication governmental agencies To learn more, contact Scott at: connections through the mesh, using the require. With integrated CPU accelera- Linux Cryptographic API to take advan- tion’s lower cost and power consumption, Advantage Engineering LLC tage of the CPU’s acceleration features. even very small form factors will imple- [email protected] The MeshBox might need to handle mul- ment secure computing. ➤ www.advantage-engineer.com tiple virtual private network or encrypted

PC/104 and Small Form Factors ©2007 OpenSystems Publishing. Not for Distribution.