Provision a Linux Web Server for Intel® AES-NI
How to Provision a Linux* Web Server for Intel® AES-NI
This guide will review the steps to configure a server and client to use Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) when performing secure web transactions. Intel AES-NI provides significant performance improvements allowing the use of data protection not feasi...ble before. Intel AES-NI is a set of seven new instructions in the Intel® Xeon® processor 5600 series (formerly codenamed Westmere-EP). The instructions are also available on certain desktop and mobile processors. Several newer Linux* distributions have Intel AES-NI support built-in. Older distributions require the use of a patch to OpenSSL. The steps outlined in this paper ensure the software is configuration to use this new capability.
A secure web transaction, like accessing one’s bank account, encrypts the data before sending it over the Internet. Secure Socket Layer (SSL) and the newer Transport Layer Security (TLS) are the protocols typically used to deliver secure transactions over the network. When a client machine wants to securely access a server machine over TLS or SSL, a handshake occurs to choose the encryption protocol. For the new instructions to be used, the AES cipher must be selected during the handshake. The encryption cipher is chosen based on the preferred order that is configured in the software. To use AES and therefore Intel AES-NI, the AES cipher should be first on each priority list. The web server should be configured to have the AES cipher as the preferred choice, highest on the cipher list. For the client computers under your control, you want to also establish AES as the default cipher. These settings will be reviewed in the paper to ensure they use the new capabilities offered by the Intel Xeon processor 5600 series.
Several newer distributions have Intel AES-NI support built-in, such as Red Hat Enterprise Linux* 6 (in beta2 at time of writing) and Fedora* 13. For this paper, Fedora13, RHEL6 beta2 and Firefox 3.5.3 were used. Older distributions require the use of a patch to OpenSSL Since detailed step-by-step instructions are dependent on the specific distribution and configuration, some instructions may vary if a different distribution is used.
Read the full Provision a Linux* Web Server for Intel AES-NI Guide.