Security Software—Intel
®
QuickAssist Technology Cryptographic API Architecture Overview
Intel
®
EP80579 Software for Security Applications on Intel
®
QuickAssist Technology
PG August 2009
26 Order Number: 320183-004US
GCM
“Galois/Counter Mode (GCM) is a block cipher mode of operation that uses universal
hashing over a binary Galois field to provide authenticated encryption.” This is an
excerpt from the GCM specification which can be accessed at: http://www.nist.gov/
4.4.2 Key Generation
The Cryptographic API module provides TLS and SSL key generation operation along
with a Mask Generation Function (MGF).
TLS/SSL Generation: For both algorithms functions are provided for the generation of
the Master-Secret and Key Materials. These are optimized accelerations for use in SSL/
TLS key negotiation and generation applications.
MGF: Takes a seed of specified length and produces a generated mask, which is
pseudorandom, of the specified size.
4.4.3 Lookaside PKE Overview
This section gives a brief overview of Public Key algorithms and standards relevant for
EP80579 security software. The following is a list of Public key algorithms/standards:
• Diffie-Hellman (DH) Key Exchange – PKCS #3 v1.4
• RSA Cryptography Standard – PKCS #1 v2.1 and ANSI X9.31
• Digital Signature Algorithm (DSA) – FIPS-186-2
• GCD, Miller-Rabin, Lucas and Fermat primality testing (ANSI X9.80)
4.4.3.1 Diffie-Hellman Key Exchange
DH is used to create a “shared secret”, from which symmetric key information may be
derived. This Key can be used to encrypt subsequent communications using a
symmetric key cipher.
The protocol has two system parameters p and g. They are both public and may be
used by all the users in a system. Parameter p is a prime number and parameter g
(usually called a generator) is an integer less than p, with the following property: for
every number n between 1 and p-1 inclusive, there is a power k of g such that n = g
k
mod p.
The underlying mathematical principle is the identity: (g
a
mod p)
b
mod p = (g
b
mod p)
a
mod p. DH cryptographic strength is derived from the fact that logarithms are difficult
to do in a MODP group. A set of standard DH (MODP) groups are defined in RFC-2409
and RFC-3526. Modulus sizes range from 768 to 4096 bits.
There are two modes of Diffie-Hellman:
• Normal Diffie-Hellman: DH parameters are contained within a certificate, signed
by a certificate authority (CA).
• Ephemeral Diffie-Hellman: DH parameters are created “on the fly” by the
negotiating parties. These parameters are then signed using a DSS or RSA
certificate, which is itself signed by a CA.