1 / 18

Applying White-Box Cryptography

Applying White-Box Cryptography. SoBeNet user group meeting October 8, 2004 Brecht Wyseur. SoBeNet – Track 3 “Software Tamper Resistance”. COSIC – Computer Security and Industrial Cryptography Members Prof. Bart Preneel Jan Cappaert Brecht Wyseur Project Involvement Obfuscation (Jan)

vernon-beasley
Download Presentation

Applying White-Box Cryptography

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Applying White-Box Cryptography SoBeNet user group meeting October 8, 2004 Brecht Wyseur

  2. SoBeNet – Track 3“Software Tamper Resistance” • COSIC – Computer Security and Industrial Cryptography • Members • Prof. Bart Preneel • Jan Cappaert • Brecht Wyseur • Project Involvement • Obfuscation (Jan) • White-Box Cryptography (Brecht)

  3. Overview • Problem Description • State-Of-The-Art • White-Box Transformations • Pro’s and Cons • Future Research

  4. Problem Description • Quite easy to find stored or embedded keys Shamir et al.: Playing hide and seek with stored keys • Algebraic attack on RSA key • Attack through entropy data Key information

  5. White-Box Cryptography (chow et al. 2002) • White-box attack context (WBAC) a.k.a. Malicious host attack context • Full-privileged attack software shares a host with cryptographic software, having complete access to the implementation of algorithms; • Dynamic execution (with instantiated cryptographic keys) can be observed; • Internal algorithm details are completely visible and alterable at will. The attacker's objective is to extract the cryptographic key, e.g. For use on a standard implementation of the same algorithm on a different platform.

  6. Applications • Software Agents • Embedded cryptographic keys for signing purposes • Digital Rights Management (DRM) • Smart Card Technology • Asymmetric crypto system

  7. State-Of-The-Art • Sander et al.: Impossible situation to secure • August 2002 – Chow et al. • A White-Box DES Implementation • A White-Box AES Implementation • Link et al. – Security issues and improvements “Choice of implementation the sole remaining line of defense”

  8. General idea (1) Expanding the cryptographic border • External function encoding • Attacker: • Analyse • Isolate random bijections • Analyse to find • Goal: make isolation difficult Authentication code Cryptographic algorithm …

  9. General Idea (2) Spreading embedded secret information Thus forcing an attacker to understand a greater part of the implementation KEY

  10. White-Box Transformations How? Transform an algorithm into a series of key-dependant lookup tables

  11. White-Box Transformations • Partial Evaluation • Combined Function Encoding • By-Pass Encoding • Split Path Encoding • … Techniques apply on cryptographic algorithms build with XOR, substitution and permutation functions AES, DES, …

  12. White-Box Transformations (2) • Partial Evaluation k Definition of a new key-dependant lookup table 6 S 4

  13. Choose random bijection and A A’ f g B’ B Encoded version: White-Box Transformations (3) • Internal Function Encoding

  14. Local Security • Internal function encoding provides local security A’ is known. Because the bijection f is random, no information can be revealed of A (similar to one time path)

  15. Global Security • Currently no proof • Can we guarantee white-box security? • Trade-off between performance and level of security • AES: Cryptanalysis by Billet et al. (2004)

  16. Some Numbers • DES • Chow et al.: 4,54 Mb • Improvement by Link et al.: 2,25 Mb • AES • Normal implementation: 4.352 bytes • Chow et al.: 770.048 bytes 177 times bigger, 55 times slower 3104 lookups

  17. Pro’s and Cons • Pro’s • Expansion of cryptographic boundaries • Diversity by injection of random bijections • Cons • Performance reduction • Implementation size • Lack of proof of security

  18. Future Research • Development of new techniques • Algebraic transformations • Dynamic key implementations • Proof of security • Development of an automated application tool • Improve security with Obfuscation techniques

More Related