Embed Size (px)
DESCRIPTION
White-Box Cryptography. Outline. Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion. Motivation. Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model. Black-Box Attack Model. - PowerPoint PPT Presentation
Citation preview
White-Box Cryptography
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
MotivationCryptography is widely used nowadays, attack still exists.
• Black-Box Attack Model• White-Box Attack Model
Black-Box Attack Model• Tries to deduce the key from a list {(plaintext,
ciphertext)}
Black-Box Attack Model• Side-channel Attack• Executing time• Electromagnetic radiation• Power consumption
White-Box Attack Model• Attacker has full control over software execution• Full access to the implementation of cryptography
algorithm• Full access to the platform: CPU calls, memory, registers,
etc.• Binary completely visible• Can manipulate the execution
White-Box Attack Model• Target for attack• Implementation of cryptography• Secret key
White-Box Attack Example• Key Whitening Attack• Zero lookup tables(such as S-box) using hex editor• Getting output of penultimate operation• Original AES key easily be derived
White-Box Attack Example• Entropy Attack• Object: Computer Memory• Keys: usually chose by random generator• Code: contains structure
White-Box Attack Example• Format Analysis• Analyze binary code
White-Box Attack Example• Code Boot Attack• Applicable to Bitlocker, TrueCrypt, FileVault• TrueCrypt boot loader
• Password entered at boot time• Disk encryption key needs to be stored in memory
• Attack: exploit data remanency property of DRAM, cooling increase time• Removed & inserted into another hacked machine to
read data, such as crypto keys
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
Object• Hide a cryptography key in a white-box
implementation
A Naive Example• Implement a cipher as one big lookup table
• No more information ‘leaks’ from the set of {(plaintext, ciphertext)}• Lookup Table size: For n-bit block cipher, size would
be n*2n bit• 32 bit: 232*32 bit =237 bit=4 GBytes
• Using a network of lookup table instead
void encrypt (uint32_t* plaintext, uint32_t* ciphertext) {char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ciphertext = S[plaintext];
}
What is White-Box Cryptography?• Definition
• Dwb(m): need ONE input• Dk(m): need TWO input• Essentially, Dwb(m) is the exclusive edition of Dk(m) with
specific cipher key.
What is White-Box Cryptography?• Main Idea• Embed both the fixed key & random data in a
composition.• Hard to derive the original key.
• Attacker knows which crypto algorithm• Attacker knows where in the memory• Attacker knows where in the application
What is White-Box Cryptography?• State of Art• Unfortunately, there is no white-box cryptography
proved to be secure• Current best method: hide keys according to
characteristics of the specific crypto algorithm• Only white-box DES & AES published
• Both have been broken• No academic paper on asymmetric primitives
What is White-Box Cryptography?• State of Art• Interesting:
• After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
• For white-box crypto, this is reasonable.• Security of white-box crypto depends on how hard the cipher
key is hidden, not the cipher primitives.
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
First White-Box Implementation• Chow et al. 2002. A White-Box DES Implementation
for DRM Applications• Chow et al. 2002. White-Box Cryptography and an
AES Implementation
Original DES
• Basic operations: Replacing, Changing places, XOR• Chow, et al.: Transform to randomized networked lookup
tables closely related to the crypto key
White-Box DES• Transform a cipher into a series of key-dependent
lookup tables.• Secret key is hard-code into the lookup tables• Protected by randomization techniques
Lookup Tables Example• Lookup Tables: define every input & output• Any finite function can transform to a lookup table
• Table A: Replacing Operation• Table B: XOR Operation• Table C: Negative Operation
A
输入 输出
00 1001 0110 1111 00
B
输入 输出
00 001 110 111 0
C
输入 输出
0 11 0
Lookup Tables Example• All basic primitives in DES transform into lookup
tables:
Divide and Conquer• Attacker may recognize every lookup table and
analyze each basic operation.• Mix 3 tables into 1 big lookup table:
A
输入 输出
00 1001 0110 1111 00
B
输入 输出
00 001 110 111 0
C
输入 输出
0 11 0
C ◦ B ◦ A
输入 输出
00 001 010 111 1
Divide and Conquer• BUT, the lookup table will become very huge.• For n bits input & m bits output, 2n×m bits is required.• Solution: we need a series of networked lookup tables:
L1 ◦ L2 ◦ L3 ◦ …
Partial Evaluation• Chow, et al. adopted partial evaluation to mix crypto keys with
algorithm.• Dskey(m) Dwb(m)
• In DES:• Some operation is fixed (e.g. changing place)
Corresponding lookup tables are fixed -------- not affected by crypto keys• Some operation is NOT fixed (e.g. replacing using crypto key)
Corresponding lookup tables are NOT fixed -------- affected by crypto keys
• Attacker can distinguish the unfixed lookup tables by analyzing each table• We need to randomize every lookup table
• Making distinguishing more difficult
Internal Encodings• Considering 3 consecutive lookup tables in the
network: L3◦L2◦L1, L2 contains some key information.• e.g. L2(x)=x k⊕
• Every lookup table is available to the white-box attacker• The key information can be extracted directly• e.g. L2(0)
Internal Encodings• Countermeasure: Add internal encoding:
• b1, b2: randomization operations• b1
-1, b2-1: opposite operations
• L’3◦ L’
2◦ L’1= L3◦b2
-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1
• Now, L’2 does not leak any key information
• Attacker have to analyze all 3 encoded tables to gain information
Outline• Motivation• White-Box Cryptography• White-Box Implementation• White-Box In Practice• Conclusion
Code Lifting• Attacker: No need to know internal details, just
need API.• Embed the white-box implementation into his App.• Still encrypt/decrypt data as having the key.
External Encodings• Same as Internal Encodings.
• But not between 2 blocks inside cryptography implementation
• But outside
• Annihilating encoding somewhere else• e.g. incorporate into the decryption functions
Traitor Tracing• Object: Detect who has been sharing code (pirate)• Use case: DRM
• Insert fingerprints into white-box implementation
• Can also be used in software tamper resistance• Malware instructions can be detected
• Any modification leads to lookup tables collapse
Conclusion• Being used in real-world application, mainly DRM
apps.• Although academic attacks have been published• No attacks on commercial white-box implementation
have been seen.
• White-box cryptography still in its early days• Requires further research before being widely adopted.
![H2020-ICT-2014 { Project 645421 ECRYPT { CSA ECRYPT ...White-box cryptography from obfuscation White-box cryptography was introduced in [15, 16] as cryptography in the worst-case adver-sarial](https://img.dokumen.tips/doc/110x75/601da6e4c78be05aa87e1d90/h2020-ict-2014-project-645421-ecrypt-csa-ecrypt-white-box-cryptography-from.jpg)
![Cryptanalysis of the Xiao { Lai White-Box AES Implementation · White-box cryptography was introduced in 2002 by Chow, Eisen, Johnson and van Oorschot in [4,5], and aims at protecting](https://img.dokumen.tips/doc/110x75/601da4a597ebf1166d7bbcf7/cryptanalysis-of-the-xiao-lai-white-box-aes-implementation-white-box-cryptography.jpg)
