Outline Motivation WhiteBox Cryptography WhiteBox Implementation WhiteBox In Practice Conclusion Motivation Cryptography is widely used nowadays attack still exists BlackBox Attack Model ID: 610900
Download Presentation The PPT/PDF document "White-Box Cryptography" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
White-Box CryptographySlide2
Outline
Motivation
White-Box
Cryptography
White-Box Implementation
White-Box In Practice
ConclusionSlide3
Motivation
Cryptography is widely used nowadays, attack still
exists.
Black-Box Attack Model
White-Box Attack ModelSlide4
Black-Box Attack Model
Tries to deduce the key from a list {(plaintext, ciphertext)}Slide5
Black-Box Attack Model
Side-channel Attack
Executing
time
Electromagnetic
radiation
Power consumptionSlide6
White-Box Attack Model
Attacker has full control over software
execution
Full access to the implementation of cryptography
algorithm
Full access to the platform: CPU calls, memory, registers, etc
.
Binary completely
visible
Can manipulate the executionSlide7
White-Box Attack Model
Target for
attack
Implementation of
cryptography
Secret keySlide8
White-Box Attack Example
Key Whitening
Attack
Zero lookup tables(such as S-box) using hex
editor
Getting output of penultimate
operation
Original AES key easily be derivedSlide9
White-Box Attack Example
Entropy
Attack
Object: Computer Memory
Keys: usually chose by random
generator
Code: contains structureSlide10
White-Box Attack Example
Format
Analysis
Analyze binary
codeSlide11
White-Box Attack Example
Code Boot
Attack
Applicable to
Bitlocker
,
TrueCrypt
,
FileVault
TrueCrypt
boot loader
Password
entered at boot time
Disk
encryption key needs to be stored in memory
Attack: exploit data
remanency
property of DRAM, cooling increase time
Removed & inserted into another hacked machine to read data, such as crypto keysSlide12
Outline
Motivation
White-Box Cryptography
White-Box Implementation
White-Box In Practice
ConclusionSlide13
Object
Hide a cryptography key in a white-box implementationSlide14
A Naive Example
Implement a cipher as one big lookup
table
No
more information ‘leaks’ from the set of {(plaintext, ciphertext)}
Lookup Table size: For n-bit block cipher, size would be n*2
n
bit
32
bit: 2
32
*32 bit =2
37
bit=4
GBytes
Using a network of lookup table
instead
void encrypt (uint32_t* plaintext, uint32_t* ciphertext) {
char
S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /*
Sbox
*/
ciphertext
= S[plaintext];
}Slide15
What is White-Box Cryptography?
Definition
D
wb
(m): need ONE input
D
k
(m): need TWO input
Essentially,
D
wb
(m) is the exclusive edition of
D
k
(m) with specific cipher key.Slide16
What is White-Box Cryptography?
Main
Idea
Embed both the fixed key & random data in a composition.
Hard to derive the original key.
Attacker
knows which crypto algorithm
Attacker
knows where in the memory
Attacker
knows where in the applicationSlide17
What is White-Box Cryptography?
State of Art
Unfortunately
, there is no white-box cryptography proved to be secure
Current
best method: hide keys according to characteristics of the specific crypto algorithm
Only
white-box DES & AES published
Both
have been broken
No
academic paper on asymmetric
primitivesSlide18
What is White-Box Cryptography?
State of Art
Interesting
:
After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
For white-box crypto, this is reasonable.
Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives
.Slide19
Outline
Motivation
White-Box Cryptography
White-Box Implementation
White-Box In Practice
ConclusionSlide20
First White-Box Implementation
Chow
et al. 2002.
A White-Box DES Implementation for DRM Applications
Chow et al. 2002.
White-Box Cryptography and an AES
ImplementationSlide21
Original DES
Basic
operations: Replacing, Changing places, XOR
Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto keySlide22
White-Box DES
Transform a cipher into a series of key-dependent lookup tables.
Secret key is hard-code into the lookup tables
Protected
by randomization techniquesSlide23
Lookup Tables Example
Lookup Tables: define every input & output
Any
finite function can transform to a lookup
table
Table
A: Replacing Operation
Table B: XOR Operation
Table C: Negative OperationSlide24
Lookup Tables Example
All basic primitives in DES transform into lookup tables
:Slide25
Divide and Conquer
Attacker may recognize every lookup table and analyze each basic operation
.
Mix 3 tables into 1 big lookup table:Slide26
Divide and Conquer
BUT, the lookup table will become very huge.
For
n bits input & m bits output, 2
n
×
m bits is required.
Solution
: we need a series of networked lookup tables: L
1
◦ L
2
◦ L
3
◦
…Slide27
Partial Evaluation
Chow, et al. adopted partial evaluation to mix crypto keys with algorithm.
D
skey
(m)
D
wb
(m)
In DES:
Some operation is fixed (e.g. changing place)
Corresponding lookup tables are fixed
--------
not affected by crypto keys
Some operation is NOT fixed (e.g. replacing using crypto key)
Corresponding lookup tables are NOT fixed -------- affected by crypto keys
Attacker can distinguish the unfixed lookup tables by analyzing each table
We need to randomize every lookup table
Making
distinguishing more difficultSlide28
Internal Encodings
Considering 3 consecutive lookup tables in the network: L
3
◦L
2
◦L
1
, L
2
contains some key information.
e.g. L
2
(x)=x
⊕
k
Every lookup table is available to the white-box attacker
The key information can be extracted directly
e.g. L
2
(0
)Slide29
Internal Encodings
Countermeasure
: Add internal encoding
:
b
1
, b
2
: randomization operations
b
1
-1
, b
2
-1
: opposite operations
L
’
3
◦ L
’
2
◦ L
’
1
= L
3
◦b
2
-1
◦b
2
◦ L
2
◦b
1
-1
◦b
1
◦ L
1
= L
3
◦ L
2
◦ L
1
Now, L
’
2
does not leak any key information
Attacker
have to analyze all 3 encoded tables to gain informationSlide30
Outline
Motivation
White-Box Cryptography
White-Box Implementation
White-Box In Practice
ConclusionSlide31
Code Lifting
Attacker: No need to know internal details, just need API.
Embed
the white-box implementation into his App.
Still
encrypt/decrypt data as having the key.Slide32
External Encodings
Same as Internal Encodings.
But
not between 2 blocks inside cryptography implementation
But outside
Annihilating encoding somewhere else
e.g
. incorporate into the decryption functionsSlide33
Traitor Tracing
Object: Detect who has been sharing code (pirate)
Use
case: DRM
Insert fingerprints into white-box
implementation
Can
also be used in software tamper resistance
Malware
instructions can be detected
Any
modification leads to lookup tables collapseSlide34
Conclusion
Being used in real-world application, mainly DRM apps.
Although academic attacks have been published
No attacks on commercial white-box implementation have been seen.
White-box cryptography still in its early days
Requires further research before being widely adopted
.