The VIA PadLock Security Engine comprises ground-breaking features integrated into all recent VIA x86 processors. As part of the VIA PadLock Security Initiative, the VIA PadLock Security Engine provides a platform approach to computer security, ensuring uncompromising security performance working in concert with leading edge security software.
These features include the implementation of the Quantum-based VIA PadLock RNG (Random Number Generator), and the VIA PadLock ACE (Advanced Cryptography Engine) supporting U.S. Government standard AES encryption, Secure hash SHA-1/SHA-256 encryption and accelerated RSA algorithm computation (through the inclusion of a Montgomery Multiplier). Elements of the VIA PadLock Security Engine have been integrated into the VIA C7, VIA C7-M, VIA Eden® ESP, Eden®-N, VIA C3®-M, and VIA C3® processors (see here for a comparison of recent processors).
Please click on the following features to find out more about security requirements and VIA's approach to meeting these challenges:
To download a detailed guide to the VIA C5J PadLock Security Engine, please click here.
Random Number Generation
The Need for Random Numbers
As security algorithms become more complex in an attempt to thwart hackers, their foundation random numbers have become a paramount issue in delivering secure platforms. This issue has been accelerated by the proliferation in usage of mobile devices that often involve transmission and storage locally of mission critical information.
The key issues that need to be addressed in delivering a secure computing platform are:
Data encryption is a forefront issue in delivering information securely across mobile and embedded platforms.
Whilst there are many ways of providing this security, most secure applications implement an asymmetric (public key) or symmetric encryption system (of varying levels of complexity).
The cryptographic strength of these encryption systems depends on the strength of the key, that is, the difficulty of predicting, guessing, or calculating the key. To ensure that keys cannot be easily guessed, random number generators are used to produce cryptographic keys and other secret parameters in virtually all security applications.
Challenge/response authentication protocols require that challenge values be as unpredictable as possible to ensure that attackers cannot re-use data from previous authentication transactions. The strength of passwords used to protect access and information also depends on the difficulty of predicting or guessing the password. As a result, strong random number generators are necessary to automatically generate strong passwords.
Digital signatures and message digests are used to guarantee the integrity of communications over a network. Random numbers are often used in digital signature algorithms to make it difficult for a malicious party to forge the signature. Many signing algorithms, including the U.S. Government's Digital Signature Standard also require random sources to ensure the security of the signing keys.
In short, good security requires good random numbers.
How to Generate Random Numbers
In general there are three methods for generating random numbers: software, physical sources, and Quantum uncertainty.
The most common approach to generating random numbers is by using a deterministic algorithm implemented by a computer program. Such deterministic algorithms cannot generate truly random numbers (at best they are predictable and reproducible, and at worst, have bad statistical characteristics). Thus, software generators are usually called pseudo-random or quasi-random generators.
A second approach to generate random numbers is to use physical phenomena that fall in between software generators and quantum based hardware generators. For example, the Linux operating system has random number generators that use entropy generated by the keyboard, mouse, interrupts, and disk drive behavior as the seed. Microsoft's® CryptGenRandom function (part of the Microsoft CryptoAPI) is similar using, for instance, mouse or keyboard timing input, that are then added to both a stored seed and various system data and user data.
While these physical activities may look random, their randomness cannot be proven, and they run the risk of generating poor entropy (or no entropy) if the sampled physical activity is dormant or repetitive. There are several potential security vulnerabilities when using such physical activities. For example, in networked applications such as browsers, the application traffic between a client and server effectively publishes the locations and sequence of the client's mouse-events. Similarly, users may enable "snap-to" options that center the mouse pointer in the center of the button to be pressed and make the click locations predictable. As a result, the entropy from mouse movements in these environments could be far less than an RNG designer expected.
The only truly random generator is a mechanism that detects quantum behavior at the sub-atomic level. This is because randomness is inherent in the behavior of sub-atomic particles. A quantum based hardware generator is practical, with examples that have been used including:
1) The interval between the emission of particles during radioactive decay. This source generates only 30 bytes per second and requires a cumbersome (and dangerous?) collection of hardware.
2) The thermal noise across a semiconductor diode or resistor.
This is the approach most often used in add-on PC hardware.
3) The charge developed on a capacitor during a particular time period.
4) The frequency instabilities of multiple free running oscillators.
This approach is the basis of the VIA PadLock RNG approach. While implemented differently than the resistor based approach, ultimately, the source of randomness is the same.
These sources have been used in a few commercially available add-on random number generator devices, none of which have achieved much visibility or use. Since they are peripheral devices such as PCI cards and serial port devices, these commercial hardware generators are expensive and cumbersome.
VIA Padlock RNG: On-Die Quantum Randomness
To address this need for good random numbers in security applications, VIA introduced the Nehemiah processor core in January 2003 that included the VIA Padlock RNG, integrating a high-performance hardware-based random number generator onto the processor die. The VIA PadLock RNG uses random electrical noise on the processor chip to generate highly random values at an extremely fast rate. It provides these numbers directly to security applications via a unique x86 instruction that has built-in multi-tasking support.
Capable of creating random numbers at rates of between 800K to 1600K bits per second, the VIA PadLock RNG addresses the needs of security applications requiring high bit rates that algorithmically increases the quality (randomness) of the entropy produced, for example by applying hashing algorithms to the output.
The VIA PadLock RNG uses a system of Asynchronous Multi-byte Generation, where the hardware generates random bits at its own pace. These accumulate into hardware buffers with no impact on program execution. Software may then read the accumulated bits at any time. This asynchronous approach allows the hardware to generate large amounts of random numbers completely overlapped with program execution. This is opposed to good software generators, which can be fast but consume a significant number of CPU cycles and have a negative affect on affecting overall system performance.
The VIA PadLock RNG has undergone comprehensive testing by leading data security firm, Cryptography Research, Inc.; results show high-performance, high-quality entropy and ease of use. See the complete Cryptography Research report, "Evaluation of VIA C3 Random Number Generator," dated February 27, 2003.
Short for Advanced Encryption Standard, AES is a highly advanced data encryption technique developed by Belgian cryptographers Joan Daemen and Vincent Rijmen. After a rigorous multi-year evaluation process, in 2001 the US Government chose AES as the new government standard (FIPS-197), replacing the older DES encryption standard. AES provides far greater security through much larger key size and an improved encryption algorithm.
AES encrypts and decrypts 128-bit blocks of data with 3 standard key lengths:
1) 128-bit key length that corresponds to approx. 3.4 x 1038 keys
2) 192-bit key length corresponding to approx 6.2 x 1057 keys
3) 256-bit key length corresponding to approx. 1.1 x 1077 keys
By comparison, DES has approx. 7.2 x 1016 keys. To try and put this into perspective, if we assumed a super-computer could break the DES code in one second, it would take the same super computer 149 thousand billion years to decode an AES key with a 128-bit key length.
AES encryption is also particularly well suited for electronic devices such as PCs, IP and mobile phones, PDAs, firewalls, and wireless standards, such as the high-speed 802.11g standard.
The VIA PadLock Advanced Cryptography Engine (ACE)
VIA processors featuring cores from the C5P Nehemiah core onwards integrate a powerful Advanced Cryptography Engine that can encrypt or decrypt data at a sustained rate of 12.8 gigabits per second (Gb/s). For a single encryption or decryption, the effective rate can be even faster, up to 21Gb/s. This is faster than any known commercial AES hardware implementation, and several times faster than software implementations carried out with the latest high performance processors.
By utilizing the hardware-based VIA PadLock ACE, encryption can be done in the background with practically no impact on program execution. The result is virtually transparent encryption/decryption, as the VIA PadLock ACE reduces the number of CPU cycles required for encryption, leaving more of the system's resources for other tasks such as digital entertainment.
Software-based encryption without the VIA PadLock ACE on the other hand, uses a lot of CPU cycles, often resulting in dropped frames during video playback and a noticeable decrease in overall system performance.
The VIA PadLock ACE directly supports all three AES key sizes (128-bits, 196-bits, and 256-bits) in hardware, and with the same performance. In addition to a single application being able to use the VIA PadLock ACE, any number of tasks can use it concurrently without requiring supplemental task management by the application or the operating system. Although implementation of the VIA PadLock ACE contains additional x86 state, the using tasks do not need to save and restore this state - the hardware manages the additional state in a transparent fashion.
The table below indicates how the VIA PadLock ACE provides encryption/decryption at speeds in orders of magnitude faster than a high-speed Intel® Pentium® 4 processor with approximately only half of the CPU utilization.
Encryption Performance comparison with the VIA PadLock ACE
RSA Algorithms and VIA Padlock Montgomery Multiplier
VIA processors featuring the ‘Esther' core include a powerful Montgomery Multiplier, supporting key sizes up to 32K in length, used to accelerate the computational throughput of public key cryptography, such as RSA algorithms.
Used the by U.S. Government, RSA Algorithms are an encryption mechanism based on the asymmetric encryption method, or public key encryption. Public key encryption allows transmission of secure information across unsecured mediums.
Encryption under this system requires that the sender and receiver both have two keys; a private key and a public key. To initiate secure communication under a RSA system the sender asks for the receiver's public key. This key can either be attained by a direct request to the receiver or by looking up a central database of keys. Using the receiver's public key the sender encrypts the information to be sent across the unsecured medium.
When the receiver gets the communiqué they use their private key to decrypt the secured information.
To send information back to the original sender the receiver uses the sender's public key to encrypt the response.
This public key-private key process provides ultra-secure one-to-one communication across unsecured mediums.
VIA's PadLock Montgomery Multiplier expedites this process while at the same time reducing significantly the processor load during the key construction and data encryption by eliminating the processor taxing exercise of the large number division required to perform this type of encryption.
Secure Hash Algorithms, a form of symmetric encryption, is also included in VIA processors based on the ‘Esther' core.
Implementing the SHA-1 and SHA-256 variants of secure hash, the VIA Padlock SHA engine can deliver real-time data encryption peaking at 5 gigabits per second.
This algorithm is again endorsed and used at all levels of the U.S. Government and operates by compressing the data needed and encrypting it into message digests. Each message digest is created so that the information inside is computationally infeasible to be read by an outside party.
Table: An example of the message digests produced by SHA-1:
SHA-1 Hash Digest
By studying the contents of each SHA-1 secure hash digest it becomes immediately evident that a change of character case on the same word produces a completely different encrypted message.
In fact a change of just one bit within a message causes a completely different secure hash message digest to be created. This allows easy detection of message manipulation, as a message cannot be decrypted, altered even slightly and re-encrypted without producing an entirely different message digest. This is why most governments and organizations in the world now use a implementation of the secure hash algorithm.
SHA-256 is a more secure version of SHA-1, using a 256bit hash algorithm (SHA-1 uses a 160 bit algorithm), and is currently considered completely unbreakable.
Despite this advantage, SHA-1 and SHA-256 secure hash algorithms suffer from one drawback: they all require enormous consumption of processor cycles in the computation of digests, especially when a high throughput is required.
However, VIA has solved this problem by integrating the computation of secure hash algorithms SHA-1 and SHA-256 directly onto the processor die.
By incorporating secure hash into the VIA PadLock Security Engine, VIA has effectively shifted the computational process of large-scale number crunching away from the main processor to the PadLock engine.
Thus, a developer can include real-time secure hash encryption in their applications without worrying that the process will significantly affect other applications or processes running concurrently.
Malicious buffer overflow attacks and worms pose a significant threat to commercial and personal computing.
These worms operate by causing a buffer overflow to cause damage to the system it is executed on and/or to propagate itself across networks.
NX Execute Protection is a hardware based mechanism to prevent the proliferation of these worms and some types of viruses.
The VIA Padlock NX featured in the VIA C7 and C7-M processors implements NX Execute Protection by classifying what areas in memory can execute code and which areas cannot execute code.
When a worm attempts to "overflow" the buffer or insert executable code into the buffer, the VIA PadLock Security Engine in conjunction with Microsoft® Windows® XP Service Pack 2 (and some Linux distributions) prevents access. In this way, the VIA Padlock engine halts the proliferation of worms and stops local damage caused by their execution.
VIA Padlock's NX Execute Protection is enabled in conjunction with
Microsoft® Server 2003 with Service Pack 1
Microsoft® Windows® XP with Service Pack 2
SUSE Linux 9.2
Red Hat Enterprise Linux 3 Update 3
VIA PadLock: Security Integrated Directly onto the Processor
The processor die diagram below of the latest VIA C7 processor shows how the VIA PadLock Security Engine is built directly into the hardware. The moderate amount of real estate on the processor die demonstrates the efficiency in design in enabling considerable levels of world-class security functionality within a relatively small area.