Broslavsky Oleg SiBears

Attacker is assumed to have:

Zero visibility on code during execution

External information, such as plaintext or ciphertext

Considered secure as long as the cipher has no cryptographic weaknesses

Attacker is assumed to have:

Partial physical access to the cryptographic key as a result of the cipher leaking side-channel information Electromagnetic radiation analysis

Current/power consumption analysis

Operation timing analysis

Attacker is assumed to have:

Full visibility — inputs, outputs, memory (using debuggers), and intermediate calculations

Access to the algorithms while watching how they are carried out

Traditional cryptography is not secure when running in a white-box model

Digital Rights Management Systems The end-user is then able to purchase some

type of premium content (e.g., new GoT season)

The content arrives at the user’s device encrypted, and is decrypted by the software as it is viewed

A malicious end-user may attempt to extract cryptographic keys from the software and then use them to redistribute content outside the DRM system

Client-side web application. Web application forms some client-side

queries to the backend

A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities

Common case W/ white-box crypto in JS

Generate for every key a fixed implementation, that will contain hard-coded key

Hide hardcoded key so, that encrypt and decrypt operations maintain sensitive data without revealing any portions of the key

Make the key extraction difficult or even impracticable

The Advanced Encryption Standard (AES) is a specification for the encryptionof electronic data established by the U.S. National Institute of Standards and Technology (NIST)

Each byte in the state matrix is replaced with a SubByte using an 8-bit substitution box

This operation provides the non-linearity in the cipher.

The S-box used is derived from the multiplicative inverse over GF(28)

Known to have good non-linearity properties

Cyclically shifts the bytes in each row by a certain offset

The importance of this step is to avoid the columns being linearly independent

Together with ShiftRows, MixColumns provides diffusion in the cipher

Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2

For each round, a round key is derived from the main key using Rijndael's key schedule

The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR

Move 0 round key into the loop

Swap SubBytes and ShiftRows operations (order of bytes affects

only the order of substitutions not the

result at all)

Combine AddShiftedRoudKey and

SubBytes into Nr substitution tables (one

for each round).

Name such tables T-tables and will calculate them as following:

Since the MixColumns is a linear transformation,

it can also be implemented using

couple of tables

MixColumns step can be decomposed into an exclusive-or of four 32-bit values

4 x TyTables each with 256 entries (one for every possible byte value)

XOR operation also could easily be implemented

using substitution tables

More information can be found in §4 of A Tutorial on White-box AES by

James Muir

For more security Chow suggest to apply to the state in every round

invertible mixing bijections and external

encodings

Comics styled AES http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html

Website with aggregated information about white-box cryptography http://www.whiteboxcrypto.com/

A Tutorial on White-box AES by James Muir https://ccsl.carleton.ca/~jamuir/papers/wb-aes-tutorial.pdf

Some example implementations of White-box AES and attacks on it https://github.com/openwhitebox

Oleg Broslavsky

ovbroslavsky@gmail.com

@yalegko