Presentation is loading. Please wait.

Presentation is loading. Please wait.

White-Box Cryptography

Similar presentations

Presentation on theme: "White-Box Cryptography"— Presentation transcript:

1 White-Box Cryptography

2 Outline Motivation White-Box Cryptography White-Box Implementation
White-Box In Practice Conclusion

3 Motivation Cryptography is widely used nowadays, attack still exists.
Black-Box Attack Model White-Box Attack Model

4 Black-Box Attack Model
Tries to deduce the key from a list {(plaintext, ciphertext)}

5 Black-Box Attack Model
Side-channel Attack Executing time Electromagnetic radiation Power consumption

6 White-Box Attack Model
Attacker has full control over software execution Full access to the implementation of cryptography algorithm Full access to the platform: CPU calls, memory, registers, etc. Binary completely visible Can manipulate the execution

7 White-Box Attack Model
Target for attack Implementation of cryptography Secret key

8 White-Box Attack Example
Key Whitening Attack Zero lookup tables(such as S-box) using hex editor Getting output of penultimate operation Original AES key easily be derived

9 White-Box Attack Example
Entropy Attack Object: Computer Memory Keys: usually chose by random generator Code: contains structure

10 White-Box Attack Example
Format Analysis Analyze binary code

11 White-Box Attack Example
Code Boot Attack Applicable to Bitlocker, TrueCrypt, FileVault TrueCrypt boot loader Password entered at boot time Disk encryption key needs to be stored in memory Attack: exploit data remanency property of DRAM, cooling increase time Removed & inserted into another hacked machine to read data, such as crypto keys

12 Outline Motivation White-Box Cryptography White-Box Implementation
White-Box In Practice Conclusion

13 Object Hide a cryptography key in a white-box implementation

14 A Naive Example Implement a cipher as one big lookup table
No more information ‘leaks’ from the set of {(plaintext, ciphertext)} Lookup Table size: For n-bit block cipher, size would be n*2n bit 32 bit: 232*32 bit =237 bit=4 GBytes Using a network of lookup table instead void encrypt (uint32_t* plaintext, uint32_t* ciphertext) { char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ ciphertext = S[plaintext]; }

15 What is White-Box Cryptography?
Definition Dwb(m): need ONE input Dk(m): need TWO input Essentially, Dwb(m) is the exclusive edition of Dk(m) with specific cipher key.

16 What is White-Box Cryptography?
Main Idea Embed both the fixed key & random data in a composition. Hard to derive the original key. Attacker knows which crypto algorithm Attacker knows where in the memory Attacker knows where in the application

17 What is White-Box Cryptography?
State of Art Unfortunately, there is no white-box cryptography proved to be secure Current best method: hide keys according to characteristics of the specific crypto algorithm Only white-box DES & AES published Both have been broken No academic paper on asymmetric primitives

18 What is White-Box Cryptography?
State of Art Interesting: After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application. For white-box crypto, this is reasonable. Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.

19 Outline Motivation White-Box Cryptography White-Box Implementation
White-Box In Practice Conclusion

20 First White-Box Implementation
Chow et al A White-Box DES Implementation for DRM Applications Chow et al White-Box Cryptography and an AES Implementation

21 Original DES Basic operations: Replacing, Changing places, XOR
Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key

22 White-Box DES Transform a cipher into a series of key-dependent lookup tables. Secret key is hard-code into the lookup tables Protected by randomization techniques

23 Lookup Tables Example Lookup Tables: define every input & output
Any finite function can transform to a lookup table Table A: Replacing Operation Table B: XOR Operation Table C: Negative Operation

24 Lookup Tables Example All basic primitives in DES transform into lookup tables:

25 Divide and Conquer Attacker may recognize every lookup table and analyze each basic operation. Mix 3 tables into 1 big lookup table:

26 Divide and Conquer BUT, the lookup table will become very huge.
For n bits input & m bits output, 2n×m bits is required. Solution: we need a series of networked lookup tables: L1 ◦ L2 ◦ L3 ◦ …

27 Partial Evaluation Chow, et al. adopted partial evaluation to mix crypto keys with algorithm. Dskey(m)  Dwb(m) In DES: Some operation is fixed (e.g. changing place)  Corresponding lookup tables are fixed not affected by crypto keys Some operation is NOT fixed (e.g. replacing using crypto key)  Corresponding lookup tables are NOT fixed affected by crypto keys Attacker can distinguish the unfixed lookup tables by analyzing each table We need to randomize every lookup table Making distinguishing more difficult

28 Internal Encodings Considering 3 consecutive lookup tables in the network: L3◦L2◦L1, L2 contains some key information. e.g. L2(x)=x⊕k Every lookup table is available to the white-box attacker The key information can be extracted directly e.g. L2(0)

29 Internal Encodings Countermeasure: Add internal encoding:
b1, b2: randomization operations b1-1, b2-1: opposite operations L’3◦ L’2◦ L’1= L3◦b2-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1 Now, L’2 does not leak any key information Attacker have to analyze all 3 encoded tables to gain information

30 Outline Motivation White-Box Cryptography White-Box Implementation
White-Box In Practice Conclusion

31 Code Lifting Attacker: No need to know internal details, just need API. Embed the white-box implementation into his App. Still encrypt/decrypt data as having the key.

32 External Encodings Same as Internal Encodings.
But not between 2 blocks inside cryptography implementation But outside Annihilating encoding somewhere else e.g. incorporate into the decryption functions

33 Traitor Tracing Object: Detect who has been sharing code (pirate)
Use case: DRM Insert fingerprints into white-box implementation Can also be used in software tamper resistance Malware instructions can be detected Any modification leads to lookup tables collapse

34 Conclusion Being used in real-world application, mainly DRM apps.
Although academic attacks have been published No attacks on commercial white-box implementation have been seen. White-box cryptography still in its early days Requires further research before being widely adopted.

Download ppt "White-Box Cryptography"

Similar presentations

Ads by Google