How to Use Encrypted Model With OpenVINO

Deploying deep-learning capabilities to edge devices can present security challenges like ensuring inference integrity, or providing copyright protection of your deep-learning models. OpenVINO™ provides a simple method with a crypto algorithm to protect a model in the disk. Model encryption, decryption, and authentication are not provided by OpenVINO but can be implemented with third-party tools (i.e., OpenSSL). In this example, we use the AES-128-cbc algorithm in OpenSSL to demonstrate the model cryptography.

As you can see in the image below, there are two parts to the process:

1. First is to encrypt your plain IR model into an encrypted model.
2. The second part is to use the same password key and IV which was used for the encryption before to decrypt the model at the model loading runtime.

Step 1: Encrypt model

Make sure you install OpenSSL, for example in Ubuntu:

$ sudo apt install openssl

Then use the command line to do model encryption by OpenSSL AES-128-CBC algorithm. In this simple example, I use the same password for Key and IV, it is hexadecimal of the string “openvino encrypt”. You can use some online str2hex tool to generate a hex representation of your string password.

$ openssl enc -aes-128-cbc -in openvino_model.xml -out openvino_model_enc.xml -K 6f70656e76696e6f20656e6372797074 -iv 6f70656e76696e6f20656e6372797074
$ openssl enc -aes-128-cbc -in openvino_model.bin -out openvino_model_enc.bin -K 6f70656e76696e6f20656e6372797074 -iv 6f70656e76696e6f20656e6372797074

Step 2: Decrypt model

Here we provide the sample code to read the encrypted model into the buffer and decrypt it to plain model binary. Then read and compile the model.

#include <fstream>
#include <iostream>
#include <vector>
#include <cmath>
#include <cctype>
#include <string>
#include "openvino/runtime/core.hpp"
#include <openssl/aes.h>

using namespace std;
vector<unsigned char> aes_128_cbc_decrypt(
    vector<unsigned char> &cipher,
    std::vector<unsigned char> &key,
    std::vector<unsigned char> iv) {
    AES_KEY ctx;
    AES_set_decrypt_key(key.data(), 128, &ctx);
    std::vector<uint8_t> plain;
    //cipherLen = clearLen + 16 - (clearLen mod 16)
    int plain_size = ceil(cipher.size()/16)*16; //make sure alloc buffer is enough to plain_size
    plain.resize(plain_size);
    std::cout << "AES_cbc_encrypt start:" << std::endl;
    AES_cbc_encrypt(cipher.data(), plain.data(), plain.size(), &ctx, iv.data(), AES_DECRYPT);
    std::cout << "AES_cbc_encrypt done" << std::endl;
    return plain;
}
void decrypt_file(std::ifstream & stream,
                  std::vector<unsigned char> & key,
                  std::vector<unsigned char> & iv,
                  std::vector<uint8_t> & result) {
    std::vector<unsigned char> cipher((std::istreambuf_iterator<char>(stream)),  std::istreambuf_iterator<char>());
    std::cout << "aes_128_cbc_decrypt" << std::endl;
    std::vector<unsigned char> decrypt_model = aes_128_cbc_decrypt(cipher, key, iv);
    result = decrypt_model;
}
int main() {
    std::string password="openvino encrypt"; //real app should save key to hex use hex2string to process 
    std::vector<unsigned char> key(password.begin(),password.end());
    std::vector<unsigned char> iv(password.begin(),password.end());
    std::vector<uint8_t> model_data, weights_data;
    std::ifstream model_file("openvino_model_enc.xml",std::ios::in | std::ios::binary), weights_file("openvino_model_enc.bin",std::ios::in | std::ios::binary);
    // Read model files and decrypt them into temporary memory block
    std::cout << "decrypt file" << std::endl;
    decrypt_file(model_file, key, iv, model_data); //key & iv is the same
    decrypt_file(weights_file, key, iv, weights_data);
    ov::Core core;
    // Load model from temporary memory block
    std::string str_model(model_data.begin(), model_data.end());
    auto model = core.read_model(str_model,ov::Tensor(ov::element::u8, {weights_data.size()}, weights_data.data()));
    ov::CompiledModel compiled_model=core.compile_model(model,"CPU");
    std::cout << "compile success" << std::endl;
    return 0;
}

This blog just provides an example of model encryption by OpenSSL. This method can only protect your model in the disk.

Reference:

1. OpenVINO model protection: https://docs.openvino.ai/2023.1/openvino_docs_OV_UG_protecting_model_guide.html
2. OpenSSL official website: https://www.openssl.org/

Notices & Disclaimers

Intel technologies may require enabled hardware, software, or service activation.

No product or component can be absolutely secure.

Your costs and results may vary.

© Intel Corporation. Intel, the Intel logo, and other Intel marks are trademarks of Intel Corporation or its subsidiaries. Other names and brands may be claimed as the property of others.