1 / 34

White-Box Cryptography

White-Box Cryptography. Outline. Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion. Motivation. Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model. Black-Box Attack Model.

tracen
Download Presentation

White-Box Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. White-Box Cryptography

  2. Outline • Motivation • White-Box Cryptography • White-Box Implementation • White-Box In Practice • Conclusion

  3. Motivation Cryptography is widely used nowadays, attack still exists. • Black-Box Attack Model • White-Box Attack Model

  4. Black-Box Attack Model • Tries to deduce the key from a list {(plaintext, ciphertext)}

  5. Black-Box Attack Model • Side-channel Attack • Executing time • Electromagnetic radiation • Power consumption

  6. White-Box Attack Model • Attacker has full control over software execution • Full access to the implementation of cryptography algorithm • Full access to the platform: CPU calls, memory, registers, etc. • Binary completely visible • Can manipulate the execution

  7. White-Box Attack Model • Target for attack • Implementation of cryptography • Secret key

  8. White-Box Attack Example • Key Whitening Attack • Zero lookup tables(such as S-box) using hex editor • Getting output of penultimate operation • Original AES key easily be derived

  9. White-Box Attack Example • Entropy Attack • Object: Computer Memory • Keys: usually chose by random generator • Code: contains structure

  10. White-Box Attack Example • Format Analysis • Analyze binary code

  11. White-Box Attack Example • Code Boot Attack • Applicable to Bitlocker, TrueCrypt, FileVault • TrueCrypt boot loader • Password entered at boot time • Disk encryption key needs to be stored in memory • Attack: exploit data remanency property of DRAM, cooling increase time • Removed & inserted into another hacked machine to read data, such as crypto keys

  12. Outline • Motivation • White-Box Cryptography • White-Box Implementation • White-Box In Practice • Conclusion

  13. Object • Hide a cryptography key in a white-box implementation

  14. A Naive Example • Implement a cipher as one big lookup table • No more information ‘leaks’ from the set of {(plaintext, ciphertext)} • Lookup Table size: For n-bit block cipher, size would be n*2n bit • 32 bit: 232*32 bit =237 bit=4 GBytes • Using a network of lookup table instead void encrypt (uint32_t* plaintext, uint32_t* ciphertext) { char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ ciphertext = S[plaintext]; }

  15. What is White-Box Cryptography? • Definition • Dwb(m): need ONE input • Dk(m): need TWO input • Essentially, Dwb(m) is the exclusive edition of Dk(m) with specific cipher key.

  16. What is White-Box Cryptography? • Main Idea • Embed both the fixed key & random data in a composition. • Hard to derive the original key. • Attacker knows which crypto algorithm • Attacker knows where in the memory • Attacker knows where in the application

  17. What is White-Box Cryptography? • State of Art • Unfortunately, there is no white-box cryptography proved to be secure • Current best method: hide keys according to characteristics of the specific crypto algorithm • Only white-box DES & AES published • Both have been broken • No academic paper on asymmetric primitives

  18. What is White-Box Cryptography? • State of Art • Interesting: • After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application. • For white-box crypto, this is reasonable. • Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.

  19. Outline • Motivation • White-Box Cryptography • White-Box Implementation • White-Box In Practice • Conclusion

  20. First White-Box Implementation • Chow et al. 2002. A White-Box DES Implementation for DRM Applications • Chow et al. 2002. White-Box Cryptography and an AES Implementation

  21. Original DES • Basic operations: Replacing, Changing places, XOR • Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key

  22. White-Box DES • Transform a cipher into a series of key-dependent lookup tables. • Secret key is hard-code into the lookup tables • Protected by randomization techniques

  23. Lookup Tables Example • Lookup Tables: define every input & output • Any finite function can transform to a lookup table • Table A: Replacing Operation • Table B: XOR Operation • Table C: Negative Operation

  24. Lookup Tables Example • All basic primitives in DES transform into lookup tables:

  25. Divide and Conquer • Attacker may recognize every lookup table and analyze each basic operation. • Mix 3 tables into 1 big lookup table:

  26. Divide and Conquer • BUT, the lookup table will become very huge. • For n bits input & m bits output, 2n×m bits is required. • Solution: we need a series of networked lookup tables: L1 ◦ L2 ◦ L3 ◦ …

  27. Partial Evaluation • Chow, et al. adopted partial evaluation to mix crypto keys with algorithm. • Dskey(m) Dwb(m) • In DES: • Some operation is fixed (e.g. changing place)  Corresponding lookup tables are fixed -------- not affected by crypto keys • Some operation is NOT fixed (e.g. replacing using crypto key) Corresponding lookup tables are NOT fixed -------- affected by crypto keys • Attacker can distinguish the unfixed lookup tables by analyzing each table • We need to randomize every lookup table • Making distinguishing more difficult

  28. Internal Encodings • Considering 3 consecutive lookup tables in the network: L3◦L2◦L1, L2 contains some key information. • e.g. L2(x)=x⊕k • Every lookup table is available to the white-box attacker • The key information can be extracted directly • e.g. L2(0)

  29. Internal Encodings • Countermeasure: Add internal encoding: • b1, b2: randomization operations • b1-1, b2-1: opposite operations • L’3◦ L’2◦ L’1= L3◦b2-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1 • Now, L’2 does not leak any key information • Attacker have to analyze all 3 encoded tables to gain information

  30. Outline • Motivation • White-Box Cryptography • White-Box Implementation • White-Box In Practice • Conclusion

  31. Code Lifting • Attacker: No need to know internal details, just need API. • Embed the white-box implementation into his App. • Still encrypt/decrypt data as having the key.

  32. External Encodings • Same as Internal Encodings. • But not between 2 blocks inside cryptography implementation • But outside • Annihilating encoding somewhere else • e.g. incorporate into the decryption functions

  33. Traitor Tracing • Object: Detect who has been sharing code (pirate) • Use case: DRM • Insert fingerprints into white-box implementation • Can also be used in software tamper resistance • Malware instructions can be detected • Any modification leads to lookup tables collapse

  34. Conclusion • Being used in real-world application, mainly DRM apps. • Although academic attacks have been published • No attacks on commercial white-box implementation have been seen. • White-box cryptography still in its early days • Requires further research before being widely adopted.

More Related