Features of PadLock

The VIA PadLock™ Security Engine integrated into the VIA C7 and VIA Eden processor family supports secure computing through the inclusion of five powerful security features. These five key features, when enabled, provide strong military-grade protection on the VIA PadLock enabled device:

1. Secure Hash Algorithm: SHA-1 and SHA-256 – Throughput at rates of up to 5 gigabits per second.
2. AES Encryption: ECB, CBC, CFB, and OFB modes – Another method of encrypting information at rates of up to 25 gigabits per second.


3. Montgomery Multiplier: An invaluable tool to assist the encryption of information using the RSA Public key algorithm.


4. NX Execute Protection: When enabled, this feature prevents most worms from proliferating on your device.


5. Random Number Generator: Two random number generators can create unpredictable random numbers at a rate of 1600K to 20M per second.

For a technical guide on the VIA PadLock Security Engine and its constituents, please read the VIA PadLock Security Engine Application Notes found here…

Secure Hash Algorithm: SHA-1 & SHA-256

Secure Hash Algorithm is a method of securing important information in such a way that:

• It's computationally difficult or impossible to hack;
• If the information is intercepted and contents modified, the entire hash function changes, leaving clear evidence that the message has been tampered with.

This type of cryptographic technique is used to provide a unique checksum(signature) or to verify the contents of a message that

• Assists in confirming a user's identity
• When a message is sent to another party, the message itself can be protected using Secure Hash Algorithm. This protected message can be sent in addition to the original message as a method of verifying that the contents of the message have not been altered.

Some applications that can use Secure Hash Algorithm include:

• Assists the process of encryption of information on the hard drive to help give users stronger protection against physical theft.
• Helps businesses that want to establish a secure and private connection between the employee and the main office.
• Enables companies that want to communicate confidentially with their employees in the field, to use Secure Hash Algorithm as part of creating a secure Virtual Private Network.

The VIA PadLock Security Engine includes two types of secure hash encryption: SHA-1 and SHA-256.

SHA-1 requires an enormous amount of computational power to even attempt to break it (a few thousand computers and about 10 years of your life!), while SHA-256 is currently considered to be unbreakable.

VIA PadLock-enabled applications that use the Secure Hash feature can secure data at a rate of up to 5 gigabits per second. To put that into context, most internal companies networks operate at either 10 or 100 megabits per second; in other words, VIA PadLock can hash data using this cryptographic technique at a rate of up to 200 times faster than conventional networks can communicate at.

For more information regarding the Secure Hash engine, please read the VIA PadLock Security Engine Application Notes found here...

AES Encryption

AES is cryptographic algorithm that is used for encrypting data between two parties across an unsecured connection. Again, it currently has not been cracked by any hacker in the world, and because of this is used as a standard method of communicating and storing confidential information by governments in the U.S. and many other countries around the world.

AES encryption is used to:

• Securely stream information continuously across an unsecured Internet connection.
• Encrypt data on a hard drive or device to stop hackers using Internet based tools to read information on the drive, or to stop thieves of notebooks reading the contents of the drive.

The VIA PadLock Security Engine integrated into all recent VIA processors includes a powerful AES cryptography engine, the VIA PadLock ACE, that allows information to be encrypted at a rate of up to 20 gigabits per second.

Like the secure hash feature, VIA PadLock ACE allows information to be encrypted and either stored or transmitted at a rate of up to 200 times faster than a standard network connection, and up to 25 times faster than the speed of most hard drives.

For more information about the VIA PadLock ACE, please click here or read the VIA PadLock Security Application Notes found here…

How does AES Encryption work?

The AES cryptographic algorithm is a powerful security tool designed to protect data exchanged and stored. VIA has included the VIA PadLock AES cryptographic engine in all recent VIA processors, and with each generation has expanded its feature set and performance to become the world’s fastest x86 AES engine.

NB: Below represents a simplified explanation of the AES cryptographic algorithm designed for readers with little or no prior knowledge of security techniques. For a more detailed explanation of the AES cryptographic algorithm, please click here.

AES encryption uses a secret key of a variable length (128-bit, 196-bit or 256-bit). This key is secretly exchanged between two parties before communication begins.

AES encryption gets the message or information that needs to be sent and wraps it around a big container that resembles something like a four storey high Rubik's™ cube (for the mathematically inclined AES Encryption is an algorithm based on permutations). This is then twisted like a Rubik's cube, so that the information is scrambled. The key is actually used to perform this function, and the bigger the key, the bigger the cube.

The scrambled cube is then sent to party B. Party B uses the key to unscramble the cube and read the message.

Figure 1 illustrates the AES method of encryption included in the VIA PadLock Security Engine.

Figure 2: AES Encryption takes a message and performs permutations in a method similar to a giant Rubik's™ cube to make the message being sent unreadable. Step 1:John secretly sends to Mary a key to unlock any message he sends to her. Step 2:John puts his message into the VIA PadLock AES engine, which spreads it out onto a virtual Rubik's cube where each side of each square represents a letter. Step 3:The secret key is then used to make the Rubik's cube about four storeys high (depending on the size of the secret key used) and then scrambles the squares of the cube up in the same way a Rubik's cube is scrambled. Step 4:The scrambled Rubik's cube is then sent through the Internet to Mary, who uses the secret key to solve the cube puzzle and return it back to its normal configuration, and reads the message.

NX Execute Protection

NX Execute Protection is feature included in the VIA PadLock™ Security Engine within the VIA C7 and VIA Eden processor family that provides a front line of defense against worm attacks on computing devices.

NB: Below represents a simplified explanation of NX Execute Protection designed for readers with little or no prior knowledge of security techniques. For a more detailed explanation of NX Execute Protection, please read the VIA PadLock Security Engine Application Notes found here.

How does it work?

When a computer boots and runs, it uses a management tool called an operating system to control how, when and where everything works.
To do this, the operating system divides the system memory (the computer's RAM) into two sections, executable memory and data memory. The operating system runs programs in the executable memory. It stores in the data memory the results of the program it is running.

A worm operates by living inside a program that when executed begins it wriggle its way across to the executable memory and attaches itself to another program running.
Once attached, the worm is allowed by the laws of the operating system to execute.

When a worm executes, it works either to overflow the buffer or to spread to other programs running or to files on the hard drive, and/or sends itself out across the Internet.

The VIA PadLock Security Engine uses an innovative method to stop worms from doing their job, by including a feature called NX Execute Protection.

When NX Execute Protection is enabled, it builds a virtual wall between the executable and data sections of the memory, which prevents worms from spreading from one section of the memory to the other in order to execute themselves.

This stops these types of worms dead in their tracks.

Figure 2 illustrates how NX Execute Protection operates

Figure 3: NX Execute Protection creates a wall to stop worms from doing their job. When worms try to spread themselves to the executable memory, the NX Execute Protection stops them by building a virtual wall between the two memory areas.

The NX Execute Protection in the VIA PadLock™ Security Engine is enabled in leading software operating systems including:

• Microsoft® Server 2003 with Service Pack 1
• Microsoft® Windows® XP with Service Pack 2
• SUSE Linux 9.2
• Red Hat Enterprise Linux 3 Update 3

Montgomery Multiplier

The Montgomery Multiplier is a "turbo charger" for public key algorithms like RSA.

RSA and public key algorithms are methods of encryption that enable two parties to communicate across unsecured lines. Public key algorithms differ from the AES cryptographic and Secure Hash techniques, in that no key is secretly passed from one party to the other before communication begins.

How does it work?

The VIA PadLock Security Engine includes a Montgomery Multiplier to accelerate public key generation enabling up to 900 signings of RSA 1024-bit per second.

NB: Below represents a simplified explanation of the Montgomery Multiplier designed for readers with little or no prior knowledge of security techniques. For a more detailed explanation of Montgomery Multiplier, please read the VIA PadLock Security Engine Application Notes found here.

This different method of communication operates by issuing each user with two keys, a public and a private one.  The public key is available for everyone to see and registries exist on the Internet in a similar way to a telephone directory. A private key is kept secret by each party, and at no time do they exchange keys.

To send a message, party A looks up party's B public key and uses it to encrypt the message. Party A may then broadcast the encrypted message to anywhere on the Internet, because the only person that can read the message is party B. When party B receives the encrypted message, they use their private key to decrypt the message and then read the message.

Whilst this method of communication is extremely effective, the mathematics involved in generating the keys used for transmission usually requires large amounts of the processor power and time. In fact, the mathematics involved in this process is regarded by many as the hardest type of work a computer can do.

The VIA PadLock Security Engine helps VIA PadLock-enabled applications that use this type of secure communication by offloading the hard work involved in key generation and encrypting/decrypting the message to the VIA PadLock cryptography engine. This frees up valuable processing power and allows applications to run with smoothly during execution.

This is of particular importance to mobile computing due to the fact that

1. Freeing up processing power reduces the drain on battery life that this type of processing typically causes.
2. It allows companies to broadcast messages and vital information to their employees without knowing their location (important in wireless networks).
3. It can be used to secure Voice over IP communication.

Figure 3 illustrates RSA public key encryption and how the Montgomery Multiplier aids in the process.

Figure 4: The Montgomery Multiplier accelerates the encryption process reducing processor power requirements. Step 1: John looks up Mary's public key on the Internet telephone directory. Step 2: John uses Mary's public key with the RSA algorithm to encrypt and secure the information he wants to send. John then sends the encrypted message. Step 3: Mary uses her private key to unlock and decrypt the message to read it. Note: Using the Montgomery Multiplier the process of transmission is the same; however, the speed of encryption and decryption is significantly reduced. That means John can either send Mary messages quicker or send longer messages within the same timeframe. One of the main areas the Montgomery Multiplier really opens up is the ability for John and Mary to have a sustained conversation by real-time streaming of encrypted messages, which makes this type of communication perfect for secure Voice over IP, Video Conferencing and permanent connections with office networks

Twin Random Number Generators

For all methods of securing information available today, the strength of key generation and encryption foundations are based on the quality of random numbers.

Simply put, the more random a set of numbers chosen for the key and encryption process, the stronger the foundation it will have. A stronger foundation makes it harder for hackers to break the encrypted data and reveal the contents.

Thus, the more random the numbers used in the encryption process, the harder it is for a hacker to do their job. However, until now most computers have struggled in creating unique random numbers.

This is primarily because computers can not generate true random numbers on their own. They can only generate pretend random numbers, or pseudo-random numbers.

Pseudo-random numbers are created by using computer events to generate randomness; typically events such as user keystrokes on a keyboard or mouse movements are used. Whilst in theory this isn't such a bad way to create randomness, users tend to be very repetitive in their movement of the mouse and the type and speed of keys pressed on the keyboard. This repetition causes the pseudo-random numbers to develop repeatable patterns. Hackers can then use this repetition as a tool to crack the code of encrypted messages.

VIA PadLock eliminates random number repetition as a tool for hackers to use.

How does it work?

The VIA PadLock Security Engine integrates twin quantum based random number generators that produce truly random numbers at a sustained rate of 12 million per second. These random numbers can be used in the process of key generation and encryption to reduce the statistic trends that hackers use to exploit protected information.

NB: Below represents a simplified explanation of the VIA PadLock Security Engine RNG designed for readers with little or no prior knowledge of security techniques. For a more detailed explanation of VIA PadLock Security Engine RNG, please click here or read the VIA PadLock Security Engine Application Notes found here.

It does this by using its own internal random number generators, the VIA PadLock RNGs, that base their randomness on the movement patterns of electrons under certain conditions. Movement patterns in electrons are highly random. In fact, an entire field of physics exists to describe the behavior of electrons, called quantum mechanics.

Quantum mechanics scientists studied these electrons in some detail and discovered that there is no way of predicting how an electron will move. Indeed, just looking at an electron changes the way it moves (in science this is called the uncertainty principle).
This concept when applied to security means that the VIA PadLock Security Engine can output highly random numbers very quickly.

So quick is the VIA PadLock RNG that, depending on level of entropy (amount of randomness) required, generation is up to 12 million truly random numbers per second.

For all computing and especially mobile computing, this speed is an essential part of secure operation.

• Continuous secure wireless network transmissions require good random numbers as their foundation.
• Virtual private networks providing a sustained connection require good random numbers as their first line of defense against hacker techniques.
• Helps to create stronger keys used in hard drive encryption

Figure 4 illustrates this concept of predictability in random numbers.

Figure 5: Software based random number generators produce statistically predictable random numbers, while the VIA PadLock RNG generates random numbers that are not predictable. The VIA PadLock RNG uses quantum mechanics to ensure there is no group and repetition of random numbers generated by its engine. Software based RNGs, however, can not do this because they base the calculations to extract random numbers on events that have varying levels of predictability.