Intel security hardware technology: a new word in the protection of biometric applications. Part 2
In the first part, we discussed the problems of modern biometric user recognition applications and talked about how Intel SGX, Intel VMX and Intel IPT can improve their protection. Today we will continue the conversation on biometric security, consider the Intel AES-NI, Intel Secure Key and Intel RealSense technologies.
In order to protect important data or program code during execution, cryptographic algorithms and address space allocation (ASLR) are widely used. Such technologies are applied both at the level of ordinary applications and at the level of the operating system. An important part of them are random numbers.
If you want to generate a key pair or create a random address space, the real random number generator is better than the pseudo-random number generator. Intel Secure Key Technology provides the x86 instruction RDRAND, which can be used to create a high-quality random number generator.
')
The RDRAND instruction embodies an innovative approach to creating a high-quality, high-performance random number generator based on a hardware entropy source. The generator is built according to a cascade model, it uses the entropy source built into the processor to periodically initialize a hardware cryptographically safe pseudo-random number generator. As a result, the RDRAND instruction can generate random numbers conforming to the NIST SP 800-90A standard. For the most common use cases, it can be considered a generator of truly random numbers.
The RDRAND instruction gets data from the internal hardware random number generator
There are many ways to use RDRAND.
1. Call RDRAND directly in assembly language code or inline assembler in C ++.
2. Using the library from Intel (librdrand). It is written in C / C ++. There are versions for Windows , and for Linux and OS X.
3. Using third-party libraries.
Intel Advanced Encryption Standard New Instructions (Intel AES-NI) is a set of instructions designed to accelerate applications using one of the most popular symmetric AES encryption algorithms. AES is widely used to encrypt data stored in RAM and on hard drives to protect information transmitted over the network. This is done in order to protect confidential data even if the attacker manages to copy it from some carrier or intercept it during transmission.
Data Link Encryption Using AES
In order to increase the reliability margin, it is recommended to perform encryption using several rounds of AES, which is equivalent to increasing the length of the cryptographic key. In 2010, Intel introduced a new instruction set (Intel AES-NI), which offers full hardware support for AES encryption and decryption. This allows you to increase performance and reduce memory consumption. Nowadays, almost all Intel desktop and mobile processors support AES-NI. This is how much performance gain can be achieved when using AES-NI in comparison with the fully software implementation of the algorithm that does not use these commands.
The tested device is based on the Intel Atom Z3770 (Bay Trail) FFRD8 PR1, it was running Android 4.4, used by the OpenSSL native C API.
As can be seen from the data in the table, when encrypting, the use of Intel AES-NI instructions gave a 5-fold increase in performance. When decoding - 11-fold growth. It should be noted that the use of AES-NI reduces energy consumption by about 40%.
Currently, most popular operating systems contain Intel AES-NI native support. When a certain application accesses the cryptographic API that the system provides, for example, the Windows CNG API or the Javax.crypto class in Android, the low-level driver automatically uses AES-NI instructions to improve performance. In addition, many libraries, for example, OpenSSL 1.0.1, Intel Integrated Performance Primitives, Crypto ++, are optimized to maximize the use of AES-NI.
Biometric recognition of the user, based on facial analysis, is widely used in the daily life of many people. For example - to unlock Android devices and personal computers. Since a traditional optical camera that can capture flat images is used for face recognition, the system cannot distinguish a real person from a photo. As a result, an attacker can go through the authorization procedure using a printed photograph of the user's face.
The Intel RealSense camera can capture depth information. This opens up very interesting perspectives. One of its functions is to build three-dimensional models of people and objects that fall into the lens. This feature allows you to use Intel RealSense as a survivability test tool in some biometric data capture scenarios, and, as a result, increase the security of biometric systems. A regular camera, which is part of RealSense, takes pictures of the user's face, and the 3D space scanning module simultaneously builds a three-dimensional picture of what is in front of the camera. Information about the spatial characteristics of the facial area can easily be used to determine whether a person is looking into the camera, or where a flat face should be placed a flat sheet of paper is placed.
Three-dimensional model of the face with the camera depth Intel RealSense F200. Obviously, in front of the camera is a real person.
A sheet of paper, albeit with a printed photo of the user, remains flat for the Intel RealSense F200 depth camera. Obviously, this is a fake.
Here is a brief overview of Intel technologies that can take biometric security to a new level.
The yellow icons indicate the uses of Intel technologies to enhance the security of biometric applications.
Biometric user identification is different from the traditional scheme using a username and password. Human biometric data is almost impossible to change. As a result, this approach to authentication requires an increased level of system security.
Intel offers a variety of hardware technologies that are available in both desktop computers equipped with Intel processors and mobile devices. These technologies can help biometrics developers create more secure authentication systems without the need for additional hardware.
In order to protect important data or program code during execution, cryptographic algorithms and address space allocation (ASLR) are widely used. Such technologies are applied both at the level of ordinary applications and at the level of the operating system. An important part of them are random numbers.
Intel Secure Key
If you want to generate a key pair or create a random address space, the real random number generator is better than the pseudo-random number generator. Intel Secure Key Technology provides the x86 instruction RDRAND, which can be used to create a high-quality random number generator.
')
The RDRAND instruction embodies an innovative approach to creating a high-quality, high-performance random number generator based on a hardware entropy source. The generator is built according to a cascade model, it uses the entropy source built into the processor to periodically initialize a hardware cryptographically safe pseudo-random number generator. As a result, the RDRAND instruction can generate random numbers conforming to the NIST SP 800-90A standard. For the most common use cases, it can be considered a generator of truly random numbers.
The RDRAND instruction gets data from the internal hardware random number generator
There are many ways to use RDRAND.
1. Call RDRAND directly in assembly language code or inline assembler in C ++.
– rdrand %edx – unsigned long therand, err; asm volatile("rdrand %0 ; setc %1" : "=r" (*therand), "=qm" (err)); //therand -> //err -> , 1 , 0 2. Using the library from Intel (librdrand). It is written in C / C ++. There are versions for Windows , and for Linux and OS X.
3. Using third-party libraries.
- Openssl (C / C ++)
- Lizalab-rdrand-util (Java)
- Drnglib (java)
Intel AES-NI
Intel Advanced Encryption Standard New Instructions (Intel AES-NI) is a set of instructions designed to accelerate applications using one of the most popular symmetric AES encryption algorithms. AES is widely used to encrypt data stored in RAM and on hard drives to protect information transmitted over the network. This is done in order to protect confidential data even if the attacker manages to copy it from some carrier or intercept it during transmission.
Data Link Encryption Using AES
In order to increase the reliability margin, it is recommended to perform encryption using several rounds of AES, which is equivalent to increasing the length of the cryptographic key. In 2010, Intel introduced a new instruction set (Intel AES-NI), which offers full hardware support for AES encryption and decryption. This allows you to increase performance and reduce memory consumption. Nowadays, almost all Intel desktop and mobile processors support AES-NI. This is how much performance gain can be achieved when using AES-NI in comparison with the fully software implementation of the algorithm that does not use these commands.
The tested device is based on the Intel Atom Z3770 (Bay Trail) FFRD8 PR1, it was running Android 4.4, used by the OpenSSL native C API.
| Mode (CBC / 256) | File size, MB. | With AES-NI, sec. | Without AES-NI, sec. |
| Encryption | 351 | 2.89 | 14.59 |
| 56 | 0.48 | 2.63 | |
| Decryption | 351 | 1.76 | 19.78 |
| 56 | 0.29 | 3.16 |
As can be seen from the data in the table, when encrypting, the use of Intel AES-NI instructions gave a 5-fold increase in performance. When decoding - 11-fold growth. It should be noted that the use of AES-NI reduces energy consumption by about 40%.
Currently, most popular operating systems contain Intel AES-NI native support. When a certain application accesses the cryptographic API that the system provides, for example, the Windows CNG API or the Javax.crypto class in Android, the low-level driver automatically uses AES-NI instructions to improve performance. In addition, many libraries, for example, OpenSSL 1.0.1, Intel Integrated Performance Primitives, Crypto ++, are optimized to maximize the use of AES-NI.
Intel RealSense Camera Depth Test and Depth Sensor
Biometric recognition of the user, based on facial analysis, is widely used in the daily life of many people. For example - to unlock Android devices and personal computers. Since a traditional optical camera that can capture flat images is used for face recognition, the system cannot distinguish a real person from a photo. As a result, an attacker can go through the authorization procedure using a printed photograph of the user's face.
The Intel RealSense camera can capture depth information. This opens up very interesting perspectives. One of its functions is to build three-dimensional models of people and objects that fall into the lens. This feature allows you to use Intel RealSense as a survivability test tool in some biometric data capture scenarios, and, as a result, increase the security of biometric systems. A regular camera, which is part of RealSense, takes pictures of the user's face, and the 3D space scanning module simultaneously builds a three-dimensional picture of what is in front of the camera. Information about the spatial characteristics of the facial area can easily be used to determine whether a person is looking into the camera, or where a flat face should be placed a flat sheet of paper is placed.
Three-dimensional model of the face with the camera depth Intel RealSense F200. Obviously, in front of the camera is a real person.
A sheet of paper, albeit with a printed photo of the user, remains flat for the Intel RealSense F200 depth camera. Obviously, this is a fake.
Technology Review
Here is a brief overview of Intel technologies that can take biometric security to a new level.
The yellow icons indicate the uses of Intel technologies to enhance the security of biometric applications.
- Intel SGX
- Protecting code and data at runtime.
- Organization of secure local information storage.
- Organization of secure exchange of important data over the network.
- Intel VMM
- Memory protection for applications running with Ring-3 privilege level
- Memory protection for drivers running with Ring-0 privilege level
- Intel AES-NI
- Protection of data stored on various storage media in RAM, transmitted over the network.
- Significant acceleration of encryption and decryption procedures
- Intel IPT
- Multifactor Authentication Organization
- Protection of information displayed on the display and data that the user enters
- Intel RealSense
- The organization of tests for vitality.
Results
Biometric user identification is different from the traditional scheme using a username and password. Human biometric data is almost impossible to change. As a result, this approach to authentication requires an increased level of system security.
Intel offers a variety of hardware technologies that are available in both desktop computers equipped with Intel processors and mobile devices. These technologies can help biometrics developers create more secure authentication systems without the need for additional hardware.
Source: https://habr.com/ru/post/282411/
All Articles