1 ========================================================================
2 README for Intel(R) Multi-Buffer Crypto for IPsec Library
5 ========================================================================
12 2. Processor Extensions
16 6. Security Considerations & Options for Increased Security
18 8. Disclaimer (ZUC, KASUMI, SNOW3G)
24 Intel Multi-Buffer Crypto for IPsec Library is highly-optimized
25 software implementations of the core cryptographic processing for IPsec,
26 which provides industry-leading performance on a range of Intel(R) Processors.
28 For information on how to build and use this library, see the
30 "Fast Multi-buffer IPsec Implementations on Intel Architecture Processors".
31 Jim Guilford, Sean Gulley, et. al.
33 The easiest way to find it is to search the Internet for the title and
36 Table 1. List of supported cipher algorithms and their implementations.
37 +---------------------------------------------------------------------+
39 | Encryption +-----------------------------------------------------|
40 | | x86_64 | SSE | AVX | AVX2 | AVX512 | VAES(5)|
41 |---------------+--------+--------+--------+--------+--------+--------|
42 | AES128-GCM | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
43 | AES192-GCM | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
44 | AES256-GCM | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
45 | AES128-CCM | N | Y by4 | Y by8 | N | N | N |
46 | AES128-CBC | N | Y(1) | Y(3) | N | N | Y(6) |
47 | AES192-CBC | N | Y(1) | Y(3) | N | N | Y(6) |
48 | AES256-CBC | N | Y(1) | Y(3) | N | N | Y(6) |
49 | AES128-CTR | N | Y by4 | Y by8 | N | N | Y by16 |
50 | AES192-CTR | N | Y by4 | Y by8 | N | N | Y by16 |
51 | AES256-CTR | N | Y by4 | Y by8 | N | N | Y by16 |
52 | AES128-ECB | N | Y by4 | Y by4 | N | N | N |
53 | AES192-ECB | N | Y by4 | Y by4 | N | N | N |
54 | AES256-ECB | N | Y by4 | Y by4 | N | N | N |
55 | NULL | Y | N | N | N | N | N |
56 | AES128-DOCSIS | N | Y(2) | Y(4) | N | N | N |
57 | DES-DOCSIS | Y | N | N | N | Y x16 | N |
58 | 3DES | Y | N | N | N | Y x16 | N |
59 | DES | Y | N | N | N | Y x16 | N |
60 | KASUMI-F8 | Y | N | N | N | N | N |
61 | ZUC-EEA3 | N | Y | Y | N | N | N |
62 | SNOW3G-UEA2 | N | Y | Y | Y | N | N |
63 +---------------------------------------------------------------------+
66 (1,2) - decryption is by4 and encryption is x4
67 (3,4) - decryption is by8 and encryption is x8
68 (5) - AVX512 plus VAES and VPCLMULQDQ extensions
69 (6) - decryption is by16 and encryption is x16
72 byY - single buffer Y blocks at a time
73 xY - Y buffers at a time
75 As an example of how to read table 1 and 2, if one uses AVX512 interface
76 to perform AES128-CBC encryption then there is no native AVX512
77 implementation for this cipher. In such case, the library uses best
78 available implementation which is AVX for AES128-CBC.
81 Table 2. List of supported integrity algorithms and their implementations.
82 +-------------------------------------------------------------------------+
84 | Integrity +-----------------------------------------------------|
85 | | x86_64 | SSE | AVX | AVX2 | AVX512 | VAES(3)|
86 |-------------------+--------+--------+--------+--------+--------+--------|
87 | AES-XCBC-96 | N | Y x4 | Y x8 | N | N | N |
88 | HMAC-MD5-96 | Y(1) | Y x4x2 | Y x4x2 | Y x8x2 | N | N |
89 | HMAC-SHA1-96 | N | Y(2)x4 | Y x4 | Y x8 | Y x16 | N |
90 | HMAC-SHA2-224_112 | N | Y(2)x4 | Y x4 | Y x8 | Y x16 | N |
91 | HMAC-SHA2-256_128 | N | Y(2)x4 | Y x4 | Y x8 | Y x16 | N |
92 | HMAC-SHA2-384_192 | N | Y x2 | Y x2 | Y x4 | Y x8 | N |
93 | HMAC-SHA2-512_256 | N | Y x2 | Y x2 | Y x4 | Y x8 | N |
94 | AES128-GMAC | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
95 | AES192-GMAC | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
96 | AES256-GMAC | N | Y by8 | Y by8 | Y by8 | Y by8 | Y by48 |
97 | NULL | N | N | N | N | N | N |
98 | AES128-CCM | N | Y x4 | Y x8 | N | N | N |
99 | AES128-CMAC-96 | Y | Y x4 | Y x8 | N | N | N |
100 | KASUMI-F9 | Y | N | N | N | N | N |
101 | ZUC-EIA3 | N | Y | Y | N | N | N |
102 | SNOW3G-UIA2 | N | Y | Y | Y | N | N |
103 +-------------------------------------------------------------------------+
106 (1) - MD5 over one block implemented in C
107 (2) - Implementation using SHANI extentions is x2
108 (3) - AVX512 plus VAES and VPCLMULQDQ extensions
111 byY - single buffer Y blocks at a time
112 xY - Y buffers at a time
114 Table 3. Encryption and integrity algorithm combinations
115 +---------------------------------------------------------------------+
116 | Encryption | Allowed Integrity Algorithms |
117 |---------------+-----------------------------------------------------|
118 | AES128-GCM | AES128-GMAC |
119 |---------------+-----------------------------------------------------|
120 | AES192-GCM | AES192-GMAC |
121 |---------------+-----------------------------------------------------|
122 | AES256-GCM | AES256-GMAC |
123 |---------------+-----------------------------------------------------|
124 | AES128-CCM | AES128-CCM |
125 |---------------+-----------------------------------------------------|
126 | AES128-CBC, | AES-XCBC-96, |
127 | AES192-CBC, | HMAC-SHA1-96, HMAC-SHA2-224_112, HMAC-SHA2-256_128, |
128 | AES256-CBC, | HMAC-SHA2-384_192, HMAC-SHA2-512_256, |
129 | AES128-CTR, | AES128-CMAC-96, |
130 | AES192-CTR, | NULL |
140 |---------------+-----------------------------------------------------|
141 | KASUMI-F8 | KASUMI-F9 |
142 |---------------+-----------------------------------------------------|
143 | ZUC-EEA3 | ZUC-EIA3 |
144 |---------------+-----------------------------------------------------|
145 | SNOW3G-UEA3 | SNOW3G-UIA3 |
146 +---------------+-----------------------------------------------------+
149 2. Processor Extensions
150 =======================
152 Table 4. Processor extensions used in the library
153 +-------------------------------------------------------------------------+
154 | Algorithm | Interface | Extensions |
155 |-------------------+-----------+-----------------------------------------|
156 | HMAC-SHA1-96, | AVX512 | AVX512F, AVX512BW, AVX512VL |
157 | HMAC-SHA2-224_112,| | |
158 | HMAC-SHA2-256_128,| | |
159 | HMAC-SHA2-384_192,| | |
160 | HMAC-SHA2-512_256 | | |
161 |-------------------+-----------+-----------------------------------------|
162 | DES, 3DES, | AVX512 | AVX512F, AVX512BW |
164 |-------------------+-----------+-----------------------------------------|
165 | HMAC-SHA1-96, | SSE | SHANI |
166 | HMAC-SHA2-224_112,| | - presence is autodetected and library |
167 | HMAC-SHA2-256_128,| | falls back to SSE implementation |
168 | HMAC-SHA2-384_192,| | if not present |
169 | HMAC-SHA2-512_256 | | |
170 |-------------------+-----------+-----------------------------------------|
176 Legacy or to be avoided algorithms listed in the table below are implemented
177 in the library in order to support legacy applications. Please use corresponding
178 alternative algorithms instead.
180 +-------------------------------------------------------------+
181 | # | Algorithm | Recommendation | Alternative |
182 |---+--------------------+----------------+-------------------|
183 | 1 | DES encryption | Avoid | AES encryption |
184 |---+--------------------+----------------+-------------------|
185 | 2 | 3DES encryption | Avoid | AES encryption |
186 |---+--------------------+----------------+-------------------|
187 | 3 | HMAC-MD5 integrity | Legacy | HMAC-SHA1 |
188 |---+--------------------+----------------+-------------------|
189 | 3 | AES-ECB encryption | Avoid | AES-CBC, AES-CNTR |
190 +-------------------------------------------------------------+
192 Intel(R) Multi-Buffer Crypto for IPsec Library depends on C library and
193 it is recommended to use its latest version.
195 Applications using the Intel(R) Multi-Buffer Crypto for IPsec Library rely on
196 Operating System to provide process isolation.
197 As the result, it is recommended to use latest Operating System patches and
203 LibTestApp - Library test applications
204 LibPerfApp - Library performance application
205 sse - Intel(R) SSE optimized routines
206 avx - Intel(R) AVX optimized routines
207 avx2 - Intel(R) AVX2 optimized routines
208 avx512 - Intel(R) AVX512 optimized routines
209 no-aesni - Non-AESNI accelerated routines
212 There is just one branch used in the project. All development is done on the
213 master branch. Code taken from the tip of the master branch should not be
214 considered fit for production.
215 Refer to the releases tab for stable code versions:
216 https://github.com/intel/intel-ipsec-mb/releases
227 - NASM version 2.13.03 (or newer)
228 - gcc (GCC) 4.8.3 (or newer)
239 > make clean SHARED=n
241 Build with debugging information:
244 Note: Building with debugging information is not advised for production use.
246 For more build options and their explanation run:
253 - Microsoft (R) Visual Studio 2015:
254 - NMAKE: Microsoft (R) Program Maintenance Utility Version 14.00.24210.0
255 - CL: Microsoft (R) C/C++ Optimizing Compiler Version 19.00.24215.1 for x64
256 - LIB: Microsoft (R) Library Manager Version 14.00.24215.1
257 - LINK: Microsoft (R) Incremental Linker Version 14.00.24215.1
258 - Note: Building on later versions should work but is not verified
259 - NASM version 2.13.03 (or newer)
261 Shared library (DLL):
262 > nmake /f win_x64.mak
265 > nmake /f win_x64.mak SHARED=n
268 > nmake /f win_x64.mak clean
270 > nmake /f win_x64.mak clean SHARED=n
272 Build with additional safety features:
273 - SAFE_DATA clears sensitive information stored in stack/registers
274 - SAFE_PARAM adds extra checks on input parameters
275 - SAFE_LOOKUP uses constant-time lookups (enabled by default)
276 > nmake /f win_x64.mak SAFE_DATA=y SAFE_PARAM=y
278 Build with debugging information:
279 > nmake /f win_x64.mak DEBUG=y
281 Note: Building with debugging information is not advised for production use.
283 For more build options and their explanation run:
284 > nmake /f win_x64.mak help
286 FreeBSD (64-bit only)
287 ---------------------
291 - NASM version 2.13.03 (or newer)
292 - gcc (GCC) 4.8.3 (or newer) / clang 5.0 (or newer)
303 > gmake clean SHARED=n
305 Build with debugging information:
308 Note: Building with debugging information is not advised for production use.
310 For more build options and their explanation run:
313 6. Security Considerations & Options for Increased Security
314 ===========================================================
316 Security Considerations
317 -----------------------
318 The security of a system that uses cryptography depends on the strength of
319 the cryptographic algorithms as well as the strength of the keys.
320 Cryptographic key strength is dependent on several factors, with some of the
321 most important factors including the length of the key, the entropy of the key
322 bits, and maintaining the secrecy of the key.
324 The selection of an appropriate algorithm and mode of operation critically
325 affects the security of a system. Appropriate selection criteria is beyond the
326 scope of this document and should be determined based upon usage, appropriate
327 standards and consultation with a cryptographic expert. This library includes some
328 algorithms, which are considered cryptographically weak and are included only
329 for legacy and interoperability reasons. See the "Recommendations" section for
332 Secure creation of key material is not a part of this library. This library
333 assumes that cryptographic keys have been created using approved methods with
334 an appropriate and secure entropy source. Users of this library are
335 referred to NIST SP800-133 Revision 1, Recommendation for Cryptographic Key
336 Generation, found at https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-133r1.pdf
338 Even with the use of strong cryptographic algorithms and robustly generated
339 keys, software implementations of cryptographic algorithms may be attacked
340 at the implementation through cache-timing attacks, buffer-over-reads, and
341 other software vulnerabilities. Counter-measures against these types of
342 attacks are possible but require additional processing cycles. Whether a
343 particular system should provide such counter-measures depends on the threats
344 to that system, and cannot be determined by a general library such as this
345 one. In order to provide the most flexible implementation, this library allows
346 certain counter-measures to be enabled or disabled at compile time. These
347 options are listed below as the "Options for Increased Security" and are
348 enabled through various build flags.
350 Options for Increased Security
351 ------------------------------
352 There are three build options that can be enabled to increase safety in the
353 code and help protect external functions from incorrect input data.
354 SAFE_DATA and SAFE_PARAM options are disabled by default, due to
355 the potential performance impact associated to the extra code added.
356 SAFE_LOOKUP option is enabled by default, and can be disabled
357 by setting the parameter equal to "n" (e.g. make SAFE_LOOKUP=n).
359 These options (explained below) can be enabled when building the library,
360 by setting the parameter equal to "y" (e.g. make SAFE_DATA=y).
361 No specific code has been added, and no specific validation or security
362 tests have been performed to help protect against or check for side-channel
368 Stack and registers containing sensitive information, such as keys or IVs,
369 are cleared upon completion of a function call.
374 Input parameters are checked, looking generally for NULL pointers
375 or an incorrect input length.
380 Lookups which depend on sensitive information are implemented with
381 constant time functions.
382 Algorithms where these constant time functions are used are the following:
385 - DES: SSE, AVX and AVX2 implementations
386 - KASUMI: all architectures
387 - SNOW3G: all architectures
388 - ZUC: all architectures
390 If SAFE_LOOKUP is not enabled in the build (e.g. make SAFE_LOOKUP=n) then the
391 algorithms listed above may be susceptible to timing attacks which could expose
392 the cryptographic key.
400 First compile the library and then install:
404 To uninstall the library run:
405 > sudo make uninstall
407 If you want to change install location then define PREFIX
408 > sudo make install PREFIX=<path>
410 If there is no need to run ldconfig at install stage please use NOLDCONFIG=y option.
411 > sudo make install NOLDCONFIG=y
413 If library was compiled as an archive (not a default option) then install it
414 using SHARED=n option:
415 > sudo make install SHARED=n
420 First compile the library and then install from a command prompt in
422 > nmake /f win_x64.mak
423 > nmake /f win_x64.mak install
425 To uninstall the library run:
426 > nmake /f win_x64.mak uninstall
428 If you want to change install location then define PREFIX (default C:\Program Files)
429 > nmake /f win_x64.mak install PREFIX=<path>
431 If library was compiled as a static library (not a default option) then install it
432 using SHARED=n option:
433 > nmake /f win_x64.mak install SHARED=n
435 FreeBSD (64-bit only)
438 First compile the library and then install:
442 To uninstall the library run:
443 > sudo gmake uninstall
445 If you want to change install location then define PREFIX
446 > sudo gmake install PREFIX=<path>
448 If there is no need to run ldconfig at install stage please use NOLDCONFIG=y option.
449 > sudo gmake install NOLDCONFIG=y
451 If library was compiled as an archive (not a default option) then install it
452 using SHARED=n option:
453 > sudo gmake install SHARED=n
455 8. Disclaimer (ZUC, KASUMI, SNOW3G)
456 ===================================
458 Please note that cryptographic material, such as ciphering algorithms, may be
459 subject to national regulations. What is more, use of some algorithms in
460 real networks and production equipment can be subject to agreement or
461 licensing by the GSMA and/or the ETSI.
463 For more details please see:
464 - GSMA https://www.gsma.com/security/security-algorithms/
465 - ETSI https://www.etsi.org/security-algorithms-and-codes/cellular-algorithm-licences
471 THIS SOFTWARE IS PROVIDED BY INTEL"AS IS". NO LICENSE, EXPRESS OR
472 IMPLIED, BY ESTOPPEL OR OTHERWISE, TO ANY INTELLECTUAL PROPERTY RIGHTS
473 ARE GRANTED THROUGH USE. EXCEPT AS PROVIDED IN INTEL'S TERMS AND
474 CONDITIONS OF SALE, INTEL ASSUMES NO LIABILITY WHATSOEVER AND INTEL
475 DISCLAIMS ANY EXPRESS OR IMPLIED WARRANTY, RELATING TO SALE AND/OR
476 USE OF INTEL PRODUCTS INCLUDING LIABILITY OR WARRANTIES RELATING TO
477 FITNESS FOR A PARTICULAR PURPOSE, MERCHANTABILITY, OR INFRINGEMENT
478 OF ANY PATENT, COPYRIGHT OR OTHER INTELLECTUAL PROPERTY RIGHT.