How to Provision a Windows* Web Server for Intel® AES-NI
Abstract: This guide will review the steps to configure a server and client to use Intel® Advanced Encryption Standard New Instructions (Intel® AES-NI) when performing secure web transactions. Intel AES-NI provides significant performance improvements allowing the use of data protection not feasible before. Intel AES-NI is a set of seven new instructions in the Intel® Xeon® processor 5600 series (formerly codenamed Westmere-EP). The instructions are also available on certain desktop and mobile processors. Microsoft Windows Server* 2008 Release 2 and Windows* 7 have built-in support for the new instructions. The steps outlined in this paper ensure the software is configured to use this new capability.
A secure web transaction, like accessing one’s bank account, encrypts the data before sending it over the Internet. Secure Socket Layer (SSL) and the newer Transport Layer Security (TLS) are the protocols typically used to deliver secure transactions over the network. When a client machine wants to securely access a server machine over TLS or SSL, a handshake occurs to choose the encryption protocol. For the new instructions to be used, the AES cipher must be selected during the handshake. The encryption cipher is chosen based on the preferred order that is configured in the software. To use AES and therefore Intel AES-NI, the AES cipher should be first on each priority list. The web server should be configured to have the AES cipher as the preferred choice, highest on the cipher list. For the client computers under your control, you want to also establish AES as the default cipher. These settings will be reviewed in the document to ensure they use the new capabilities offered by the Intel Xeon processor 5600 series.
Read the full Windows* Web Server for Intel® AES-NI Guide.