Presentation is loading. Please wait.

Presentation is loading. Please wait.

White-Box Cryptography. Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion.

Similar presentations


Presentation on theme: "White-Box Cryptography. Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion."— Presentation transcript:

1 White-Box Cryptography

2 Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion

3 Motivation Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model

4 Black-Box Attack Model Tries to deduce the key from a list {(plaintext, ciphertext)}

5 Black-Box Attack Model Side-channel Attack Executing time Electromagnetic radiation Power consumption

6 White-Box Attack Model Attacker has full control over software execution Full access to the implementation of cryptography algorithm Full access to the platform: CPU calls, memory, registers, etc. Binary completely visible Can manipulate the execution

7 White-Box Attack Model Target for attack Implementation of cryptography Secret key

8 White-Box Attack Example Key Whitening Attack Zero lookup tables(such as S-box) using hex editor Getting output of penultimate operation Original AES key easily be derived

9 White-Box Attack Example Entropy Attack Object: Computer Memory Keys: usually chose by random generator Code: contains structure

10 White-Box Attack Example Format Analysis Analyze binary code

11 White-Box Attack Example Code Boot Attack Applicable to Bitlocker, TrueCrypt, FileVault TrueCrypt boot loader Password entered at boot time Disk encryption key needs to be stored in memory Attack: exploit data remanency property of DRAM, cooling increase time Removed & inserted into another hacked machine to read data, such as crypto keys

12 Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion

13 Object Hide a cryptography key in a white-box implementation

14 A Naive Example Implement a cipher as one big lookup table No more information ‘leaks’ from the set of {(plaintext, ciphertext)} Lookup Table size: For n-bit block cipher, size would be n*2 n bit 32 bit: 2 32 *32 bit =2 37 bit=4 GBytes Using a network of lookup table instead void encrypt (uint32_t* plaintext, uint32_t* ciphertext) { char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ ciphertext = S[plaintext]; }

15 What is White-Box Cryptography? Definition D wb (m): need ONE input D k (m): need TWO input Essentially, D wb (m) is the exclusive edition of D k (m) with specific cipher key.

16 What is White-Box Cryptography? Main Idea Embed both the fixed key & random data in a composition. Hard to derive the original key. Attacker knows which crypto algorithm Attacker knows where in the memory Attacker knows where in the application

17 What is White-Box Cryptography? State of Art Unfortunately, there is no white-box cryptography proved to be secure Current best method: hide keys according to characteristics of the specific crypto algorithm Only white-box DES & AES published Both have been broken No academic paper on asymmetric primitives

18 What is White-Box Cryptography? State of Art Interesting: After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application. For white-box crypto, this is reasonable. Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.

19 Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion

20 First White-Box Implementation Chow et al. 2002. A White-Box DES Implementation for DRM Applications Chow et al. 2002. White-Box Cryptography and an AES Implementation

21 Original DES Basic operations: Replacing, Changing places, XOR Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key

22 White-Box DES Transform a cipher into a series of key-dependent lookup tables. Secret key is hard-code into the lookup tables Protected by randomization techniques

23 Lookup Tables Example Lookup Tables: define every input & output Any finite function can transform to a lookup table Table A: Replacing Operation Table B: XOR Operation Table C: Negative Operation

24 Lookup Tables Example All basic primitives in DES transform into lookup tables:

25 Divide and Conquer Attacker may recognize every lookup table and analyze each basic operation. Mix 3 tables into 1 big lookup table:

26 Divide and Conquer BUT, the lookup table will become very huge. For n bits input & m bits output, 2 n ×m bits is required. Solution: we need a series of networked lookup tables: L 1 ◦ L 2 ◦ L 3 ◦ …

27 Partial Evaluation Chow, et al. adopted partial evaluation to mix crypto keys with algorithm. D skey (m)  D wb (m) In DES: Some operation is fixed (e.g. changing place)  Corresponding lookup tables are fixed -------- not affected by crypto keys Some operation is NOT fixed (e.g. replacing using crypto key)  Corresponding lookup tables are NOT fixed -------- affected by crypto keys Attacker can distinguish the unfixed lookup tables by analyzing each table We need to randomize every lookup table Making distinguishing more difficult

28 Internal Encodings Considering 3 consecutive lookup tables in the network: L 3 ◦L 2 ◦L 1, L 2 contains some key information. e.g. L 2 (x)=x ⊕ k Every lookup table is available to the white-box attacker The key information can be extracted directly e.g. L 2 (0)

29 Internal Encodings Countermeasure: Add internal encoding: b 1, b 2 : randomization operations b 1 -1, b 2 -1 : opposite operations L ’ 3 ◦ L ’ 2 ◦ L ’ 1 = L 3 ◦b 2 -1 ◦b 2 ◦ L 2 ◦b 1 -1 ◦b 1 ◦ L 1 = L 3 ◦ L 2 ◦ L 1 Now, L ’ 2 does not leak any key information Attacker have to analyze all 3 encoded tables to gain information

30 Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion

31 Code Lifting Attacker: No need to know internal details, just need API. Embed the white-box implementation into his App. Still encrypt/decrypt data as having the key.

32 External Encodings Same as Internal Encodings. But not between 2 blocks inside cryptography implementation But outside Annihilating encoding somewhere else e.g. incorporate into the decryption functions

33 Traitor Tracing Object: Detect who has been sharing code (pirate) Use case: DRM Insert fingerprints into white-box implementation Can also be used in software tamper resistance Malware instructions can be detected Any modification leads to lookup tables collapse

34 Conclusion Being used in real-world application, mainly DRM apps. Although academic attacks have been published No attacks on commercial white-box implementation have been seen. White-box cryptography still in its early days Requires further research before being widely adopted.


Download ppt "White-Box Cryptography. Outline Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion."

Similar presentations


Ads by Google