white-box cryptography
DESCRIPTION
White-Box Cryptography. Outline. Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion. Motivation. Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model. Black-Box Attack Model. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/1.jpg)
White-Box Cryptography
![Page 2: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/2.jpg)
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
![Page 3: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/3.jpg)
MotivationCryptography is widely used nowadays, attack still exists.
• Black-Box Attack Model• White-Box Attack Model
![Page 4: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/4.jpg)
Black-Box Attack Model• Tries to deduce the key from a list {(plaintext,
ciphertext)}
![Page 5: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/5.jpg)
Black-Box Attack Model• Side-channel Attack• Executing time• Electromagnetic radiation• Power consumption
![Page 6: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/6.jpg)
White-Box Attack Model• Attacker has full control over software execution• Full access to the implementation of cryptography
algorithm• Full access to the platform: CPU calls, memory, registers,
etc.• Binary completely visible• Can manipulate the execution
![Page 7: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/7.jpg)
White-Box Attack Model• Target for attack• Implementation of cryptography• Secret key
![Page 8: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/8.jpg)
White-Box Attack Example• Key Whitening Attack• Zero lookup tables(such as S-box) using hex editor• Getting output of penultimate operation• Original AES key easily be derived
![Page 9: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/9.jpg)
White-Box Attack Example• Entropy Attack• Object: Computer Memory• Keys: usually chose by random generator• Code: contains structure
![Page 10: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/10.jpg)
White-Box Attack Example• Format Analysis• Analyze binary code
![Page 11: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/11.jpg)
White-Box Attack Example• Code Boot Attack• Applicable to Bitlocker, TrueCrypt, FileVault• TrueCrypt boot loader
• Password entered at boot time• Disk encryption key needs to be stored in memory
• Attack: exploit data remanency property of DRAM, cooling increase time• Removed & inserted into another hacked machine to
read data, such as crypto keys
![Page 12: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/12.jpg)
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
![Page 13: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/13.jpg)
Object• Hide a cryptography key in a white-box
implementation
![Page 14: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/14.jpg)
A Naive Example• Implement a cipher as one big lookup table
• No more information ‘leaks’ from the set of {(plaintext, ciphertext)}• Lookup Table size: For n-bit block cipher, size would
be n*2n bit• 32 bit: 232*32 bit =237 bit=4 GBytes
• Using a network of lookup table instead
void encrypt (uint32_t* plaintext, uint32_t* ciphertext) {char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ciphertext = S[plaintext];
}
![Page 15: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/15.jpg)
What is White-Box Cryptography?• Definition
• Dwb(m): need ONE input• Dk(m): need TWO input• Essentially, Dwb(m) is the exclusive edition of Dk(m) with
specific cipher key.
![Page 16: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/16.jpg)
What is White-Box Cryptography?• Main Idea• Embed both the fixed key & random data in a
composition.• Hard to derive the original key.
• Attacker knows which crypto algorithm• Attacker knows where in the memory• Attacker knows where in the application
![Page 17: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/17.jpg)
What is White-Box Cryptography?• State of Art• Unfortunately, there is no white-box cryptography
proved to be secure• Current best method: hide keys according to
characteristics of the specific crypto algorithm• Only white-box DES & AES published
• Both have been broken• No academic paper on asymmetric primitives
![Page 18: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/18.jpg)
What is White-Box Cryptography?• State of Art• Interesting:
• After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
• For white-box crypto, this is reasonable.• Security of white-box crypto depends on how hard the cipher
key is hidden, not the cipher primitives.
![Page 19: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/19.jpg)
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
![Page 20: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/20.jpg)
First White-Box Implementation• Chow et al. 2002. A White-Box DES Implementation
for DRM Applications• Chow et al. 2002. White-Box Cryptography and an
AES Implementation
![Page 21: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/21.jpg)
Original DES
• Basic operations: Replacing, Changing places, XOR• Chow, et al.: Transform to randomized networked lookup
tables closely related to the crypto key
![Page 22: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/22.jpg)
White-Box DES• Transform a cipher into a series of key-dependent
lookup tables.• Secret key is hard-code into the lookup tables• Protected by randomization techniques
![Page 23: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/23.jpg)
Lookup Tables Example• Lookup Tables: define every input & output• Any finite function can transform to a lookup table
• Table A: Replacing Operation• Table B: XOR Operation• Table C: Negative Operation
A
输入 输出
00 1001 0110 1111 00
B
输入 输出
00 001 110 111 0
C
输入 输出
0 11 0
![Page 24: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/24.jpg)
Lookup Tables Example• All basic primitives in DES transform into lookup
tables:
![Page 25: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/25.jpg)
Divide and Conquer• Attacker may recognize every lookup table and
analyze each basic operation.• Mix 3 tables into 1 big lookup table:
A
输入 输出
00 1001 0110 1111 00
B
输入 输出
00 001 110 111 0
C
输入 输出
0 11 0
C ◦ B ◦ A
输入 输出
00 001 010 111 1
![Page 26: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/26.jpg)
Divide and Conquer• BUT, the lookup table will become very huge.• For n bits input & m bits output, 2n×m bits is required.• Solution: we need a series of networked lookup tables:
L1 ◦ L2 ◦ L3 ◦ …
![Page 27: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/27.jpg)
Partial Evaluation• Chow, et al. adopted partial evaluation to mix crypto keys with
algorithm.• Dskey(m) Dwb(m)
• In DES:• Some operation is fixed (e.g. changing place)
Corresponding lookup tables are fixed -------- not affected by crypto keys• Some operation is NOT fixed (e.g. replacing using crypto key)
Corresponding lookup tables are NOT fixed -------- affected by crypto keys
• Attacker can distinguish the unfixed lookup tables by analyzing each table• We need to randomize every lookup table
• Making distinguishing more difficult
![Page 28: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/28.jpg)
Internal Encodings• Considering 3 consecutive lookup tables in the
network: L3◦L2◦L1, L2 contains some key information.• e.g. L2(x)=x k⊕
• Every lookup table is available to the white-box attacker• The key information can be extracted directly• e.g. L2(0)
![Page 29: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/29.jpg)
Internal Encodings• Countermeasure: Add internal encoding:
• b1, b2: randomization operations• b1
-1, b2-1: opposite operations
• L’3◦ L’
2◦ L’1= L3◦b2
-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1
• Now, L’2 does not leak any key information
• Attacker have to analyze all 3 encoded tables to gain information
![Page 30: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/30.jpg)
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
![Page 31: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/31.jpg)
Code Lifting• Attacker: No need to know internal details, just
need API.• Embed the white-box implementation into his App.• Still encrypt/decrypt data as having the key.
![Page 32: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/32.jpg)
External Encodings• Same as Internal Encodings.
• But not between 2 blocks inside cryptography implementation
• But outside
• Annihilating encoding somewhere else• e.g. incorporate into the decryption functions
![Page 33: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/33.jpg)
Traitor Tracing• Object: Detect who has been sharing code (pirate)• Use case: DRM
• Insert fingerprints into white-box implementation
• Can also be used in software tamper resistance• Malware instructions can be detected
• Any modification leads to lookup tables collapse
![Page 34: White-Box Cryptography](https://reader035.vdocuments.us/reader035/viewer/2022081505/568164ba550346895dd6c505/html5/thumbnails/34.jpg)
Conclusion• Being used in real-world application, mainly DRM
apps.• Although academic attacks have been published• No attacks on commercial white-box implementation
have been seen.
• White-box cryptography still in its early days• Requires further research before being widely adopted.