1. Field of the Invention
This invention relates in general to the field of microelectronics, and more particularly to an apparatus and method for performing cryptographic operations in a microprocessor.
2. Description of the Related Art
An early computer system operated independently of other computer systems in the sense that all of the input data required by an application program executing on the early computer system was either resident on that computer system or was provided by an application programmer at run time. The application program generated output data as a result of being executed and the output data was generally in the form of a paper printout or a file which was written to a magnetic tape drive, disk drive, or other type of mass storage device that was part of the computer system. The output file could then be used as an input file to a subsequent application program that was executed on the same computer system or, if the output data was previously stored as a file to a removable or transportable mass storage device, it could then be provided to a different, yet compatible, computer system to be employed by application programs thereon. On these early systems, the need for protecting sensitive information was recognized and, among other information security measures, cryptographic application programs were developed and employed to protect the sensitive information from unauthorized disclosure. These cryptographic programs typically scrambled and unscrambled the output data that was stored as files on mass storage devices.
It was not many years thereafter before users began to discover the benefits of networking computers together to provide shared access to information. Consequently, network architectures, operating systems, and data transmission protocols commensurately evolved to the extent that the ability to access shared data was not only supported, but prominently featured. For example, it is commonplace today for a user of a computer workstation to access files on a different workstation or network file server, or to utilize the Internet to obtain news and other information, or to transmit and receive electronic messages (i.e., email) to and from hundreds of other computers, or to connect with a vendor's computer system and to provide credit card or banking information in order to purchase products from that vendor, or to utilize a wireless network at a restaurant, airport, or other public setting to perform any of the aforementioned activities. Therefore, the need to protect sensitive data and transmissions from unauthorized disclosure has grown dramatically. The number of instances during a given computer session where a user is obliged to protect his or her sensitive data has substantially increased. Current news headlines regularly force computer information security issues such as spam, hacking, identity theft, reverse engineering, spoofing, and credit card fraud to the forefront of public concern. And since the motivation for these invasions of privacy range all the way from innocent mistakes to premeditated cyber terrorism, responsible agencies have responded with new laws, stringent enforcement, and public education programs. Yet, none of these responses has proved to be effective at stemming the tide of computer information compromise. Consequently, what was once the exclusive concern of governments, financial institutions, the military, and spies has now become a significant issue for the average citizen who reads their email or accesses their checking account transactions from their home computer. On the business front, one skilled in the art will appreciate that corporations from small to large presently devote a remarkable portion of their resources to the protection of proprietary information.
The field of information security that provides us with techniques and means to encode data so that it can only be decoded by specified individuals is known as cryptography. When particularly applied to protecting information that is stored on or transmitted between computers, cryptography most often is utilized to transform sensitive information (known in the art as “plaintext” or “cleartext”) into an unintelligible form (known in the art as “ciphertext”). The transformation process of converting plaintext into ciphertext is called “encryption,” “enciphering,” or “ciphering” and the reverse transformation process of converting ciphertext back into plaintext is referred to as “decryption,” “deciphering,” or “inverse ciphering.”
Within the field of cryptography, several procedures and protocols have been developed that allow for users to perform cryptographic operations without requiring great knowledge or effort and for those users to be able to transmit or otherwise provide their information products in encrypted forms to different users. Along with encrypted information, a sending user typically provides a recipient user with a “cryptographic key” that enables the recipient user to decipher the encrypted information thus enabling the recipient user to recover or otherwise gain access to the unencrypted original information. One skilled in the art will appreciate that these procedures and protocols generally take the form of password protection, mathematical algorithms, and application programs specifically designed to encrypt and decrypt sensitive information.
Several classes of algorithms are currently used to encrypt and decrypt data. Algorithms according to one such class (i.e., public key cryptographic algorithms, an instance of which is the RSA algorithm) employ two cryptographic keys, a public key and a private key, to encrypt or decrypt data. According to some of the public key algorithms, a recipient's public key is employed by a sender to encrypt data for transmission to the recipient. Because there is a mathematical relationship between a user's public and private keys, the recipient must employ his private key to decrypt the transmission in order to recover the data. Although this class of cryptographic algorithms enjoys widespread use today, encryption and decryption operations are exceedingly slow even on small amounts of data. A second class of algorithms, known as symmetric key algorithms, provide commensurate levels of data security and can be executed much faster. These algorithms are called symmetric key algorithms because they use a single cryptographic key to both encrypt and decrypt information. In the public sector, there are currently three prevailing single-key cryptographic algorithms: the Data Encryption Standard (DES), Triple DES, and the Advanced Encryption Standard (AES). Because of the strength of these algorithms to protect sensitive data, they are used now by U.S. Government agencies, but it is anticipated by those in the art that one or more of these algorithms will become the standard for commercial and private transactions in the near future. According to all of these symmetric key algorithms, plaintext and ciphertext is divided into blocks of a specified size for encryption and decryption. For example, AES performs cryptographic operations on blocks 128 bits in size, and uses cryptographic key sizes of 128-, 192-, and 256-bits. Other symmetric key algorithms such as the Rijndael Cipher allow for 192- and 256-bit data blocks as well. Accordingly, for a block encryption operation, a 1024-bit plaintext message is encrypted as eight 128-bit blocks.
All of the symmetric key algorithms utilize the same type of sub-operations to encrypt a block of plaintext. And according to many of the more commonly employed symmetric key algorithms, an initial cryptographic key is expanded into a plurality of keys (i.e., a “key schedule”), each of which is employed as a corresponding cryptographic “round” of sub-operations is performed on the block of plaintext. For instance, a first key from the key schedule is used to perform a first cryptographic round of sub-operations on the block of plaintext. The result of the first round is used as input to a second round, where the second round employs a second key from the key schedule to produce a second result. And a specified number of subsequent rounds are performed to yield a final round result which is the ciphertext itself. According to the AES algorithm, the sub-operations within each round are referred to in the literature as SubBytes (or S-box), ShiftRows, MixColums, and AddRoundKey. Decryption of a block of ciphertext is similarly accomplished with the exceptions that the ciphertext is the input to the inverse cipher and inverse sub-operations are performed (e.g., Inverse MixColumns, Inverse ShiftRows) during each of the rounds, and the final result of the rounds is a block of plaintext.
DES and Triple-DES utilize different specific sub-operations, but the sub-operations are analogous to those of AES because they are employed in a similar fashion to transform a block of plaintext into a block of ciphertext.
To perform cryptographic operations on multiple successive blocks of text, all of the symmetric key algorithms employ the same types of modes. These modes include electronic code book (ECB) mode, cipher block chaining (CBC) mode, cipher feedback (CFB) mode, and output feedback (OFB) mode. Some of these modes utilize an additional initialization vector during performance of the sub-operations and some use the ciphertext output of a first set of cryptographic rounds performed on a first block of plaintext as an additional input to a second set of cryptographic rounds performed on a second block of plaintext. It is beyond the scope of the present application to provide an in depth discussion of each of the cryptographic algorithms and sub-operations employed by present day symmetric key cryptographic algorithms. For specific implementation standards, the reader is directed to Federal Information Processing Standards Publication 46-3 (FIPS-46-3), dated Oct. 25, 1999 for a detailed discussion of DES and Triple DES, and Federal Information Processing Standards Publication 197 (FIPS-197), dated Nov. 26, 2001 for a detailed discussion of AES. Both of the aforementioned standards are issued and maintained by the National Institute of Standards and Technology (NIST) and are herein incorporated by reference for all intents and purposes. In addition to the aforementioned standards, tutorials, white papers, toolkits, and resource articles can be obtained from NIST's Computer Security Resource Center (CSRC) over the Internet at http://csrc.nist.gov/.
One skilled in the art will appreciate that there are numerous application programs available for execution on a computer system that can perform cryptographic operations (i.e., encryption and decryption). In fact, some operating systems (e.g. Microsoft® WindowsXP®, Linux) provide direct encryption/decryption services in the form of cryptographic primitives, cryptographic application program interfaces, and the like. The present inventors, however, have observed that present day computer cryptography techniques are deficient in several respects. Thus, the reader's attention is directed to FIG. 1, whereby these deficiencies are highlighted and discussed below.
FIG. 1 is a block diagram 100 illustrating present day computer cryptography applications. The block diagram 100 depicts a first computer workstation 101 connected to a local area network 105. Also connected to the network 105 is a second computer workstation 102, a network file storage device 106, a first router 107 or other form of interface to a wide area network (WAN) 110 such as the Internet, and a wireless network router 108 such as one of those compliant with IEEE Standard 802.11. A laptop computer 104 interfaces to the wireless router 108 over a wireless network 109. At another point on the wide area network 110, a second router 111 provides interface for a third computer workstation 103.
As alluded to above, a present day user is confronted with the issue of computer information security many times during a work session. For example, under the control of a present day multi-tasking operating system, a user of workstation 101 can be performing several simultaneous tasks, each of which require cryptographic operations. The user of workstation 101 is required to run an encryption/decryption application 112 (either provided as part of the operating system or invoked by the operating system) to store a local file on the network file storage device 106. Concurrent with the file storage, the user can transmit an encrypted message to a second user at workstation 102, which also requires executing an instance of the encryption/decryption application 112. The encrypted message may be real-time (e.g., an instant message) or non-real-time (i.e. email). In addition, the user can be accessing or providing his/her financial data (e.g., credit card numbers, financial transactions, etc.) or other forms of sensitive data over the WAN 110 from workstation 103. Workstation 103 could also represent a home office or other remote computer 103 that the user of workstation 101 employs when out of the office to access any of the shared resources 101, 102, 106 107, 108, 109 on local area network 105. Each of these aforementioned activities requires that a corresponding instance of the encryption/decryption application 112 be invoked. Furthermore, wireless networks 109 are now being routinely provided in coffee shops, airports, schools, and other public venues, thus prompting a need for a user of laptop 104 to encrypt/decrypt not only his/her messages to/from other users, but to encrypt and decrypt all communications over the wireless network 109 to the wireless router 108.
One skilled in the art will therefore appreciate that along with each activity that requires cryptographic operations at a given workstation 101–104, there is a corresponding requirement to invoke an instance of the encryption/decryption application 112. Hence, a computer 101–104 in the near future could potentially be performing hundreds of concurrent cryptographic operations.
The present inventors have noted several limitations to the above approach of performing cryptographic operations by invoking one or more instances of an encryption/decryption application 112 on a computing system 101–104. For example, performing a prescribed function via programmed software is exceedingly slow compared to performing that same function via dedicated hardware. Each time the encryption/decryption application 112 is required, a current task executing on a computer 101–104 must be suspended from execution, and parameters of the cryptographic operation (i.e., plaintext, ciphertext, mode, key, etc.) must be passed through the operating system to the instance of the encryption/decryption application 112, which is invoked for accomplishment of the cryptographic operation. And because cryptographic algorithms necessarily involve many rounds of sub-operations on a particular block of data, execution of the encryption/decryption applications 112 involves the execution of numerous computer instructions to the extent that overall system processing speed is disadvantageously affected. One skilled in the art will appreciate that sending a small encrypted email message in Microsoft® Outlook® can take up to five times as long as sending an unencrypted email message.
In addition, current techniques are limited because of the delays associated with operating system intervention. Most application programs do not provide integral key generation or encryption/decryption components; they employ components of the operating system or plug-in applications to accomplish these tasks. And operating systems are otherwise distracted by interrupts and the demands of other currently executing application programs.
Furthermore, the present inventors have noted that the accomplishment of cryptographic operations on a present day computer system 101–104 is very much analogous to the accomplishment of floating point mathematical operations prior to the advent of dedicated floating point units within microprocessors. Early floating point operations were performed via software and hence, they executed very slowly. Like floating point operations, cryptographic operations performed via software are disagreeably slow. As floating point technology evolved further, floating point instructions were provided for execution on floating point co-processors. These floating point co-processors executed floating point operations much faster than software implementations, yet they added cost to a system. Likewise, cryptographic co-processors exist today in the form of add-on boards or external devices that interface to a host processor via parallel ports or other interface buses (e.g., USB). These co-processors certainly enable the accomplishment of cryptographic operations much faster than pure software implementations. But cryptographic co-processors add cost to a system configuration, require extra power, and decrease the overall reliability of a system. Cryptographic co-processor implementations are additionally vulnerable to snooping because the data channel is not on the same die as the host microprocessor.
Therefore, the present inventors recognize a need for dedicated cryptographic hardware within a present day microprocessor such that an application program that requires a cryptographic operation can direct the microprocessor to perform the cryptographic operation via a single, atomic, cryptographic instruction. The present inventors also recognize that such a capability should be provided so as to limit requirements for operating system intervention and management. Also, it is desirable that the cryptographic instruction be available for use at an application program's privilege level and that the dedicated cryptographic hardware comport with prevailing architectures of present day microprocessors. There is also a need to provide the cryptographic hardware and associated cryptographic instruction in a manner that supports compatibility with legacy operating systems and applications. It is moreover desirable to provide an apparatus and method for performing cryptographic operations that is resistant to unauthorized observation, that can support multiple cryptographic algorithms, that supports verification and testing of the particular cryptographic algorithm that is embodied thereon, that allows for user-provided keys as well as self-generated keys, that supports multiple data block sizes and key sizes, and that provides for programmable block encryption/decryption modes such as ECB, CBC, CFB, and OFB.