Upload
yalegko
View
452
Download
0
Embed Size (px)
Citation preview
Broslavsky Oleg SiBears
Attacker is assumed to have:
Zero visibility on code during execution
External information, such as plaintext or ciphertext
Considered secure as long as the cipher has no cryptographic weaknesses
Attacker is assumed to have:
Partial physical access to the cryptographic key as a result of the cipher leaking side-channel information Electromagnetic radiation analysis
Current/power consumption analysis
Operation timing analysis
Attacker is assumed to have:
Full visibility — inputs, outputs, memory (using debuggers), and intermediate calculations
Access to the algorithms while watching how they are carried out
Traditional cryptography is not secure when running in a white-box model
Digital Rights Management Systems The end-user is then able to purchase some
type of premium content (e.g., new GoT season)
The content arrives at the user’s device encrypted, and is decrypted by the software as it is viewed
A malicious end-user may attempt to extract cryptographic keys from the software and then use them to redistribute content outside the DRM system
Client-side web application. Web application forms some client-side
queries to the backend
A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities
Common case W/ white-box crypto in JS
Generate for every key a fixed implementation, that will contain hard-coded key
Hide hardcoded key so, that encrypt and decrypt operations maintain sensitive data without revealing any portions of the key
Make the key extraction difficult or even impracticable
The Advanced Encryption Standard (AES) is a specification for the encryptionof electronic data established by the U.S. National Institute of Standards and Technology (NIST)
Each byte in the state matrix is replaced with a SubByte using an 8-bit substitution box
This operation provides the non-linearity in the cipher.
The S-box used is derived from the multiplicative inverse over GF(28)
Known to have good non-linearity properties
Cyclically shifts the bytes in each row by a certain offset
The importance of this step is to avoid the columns being linearly independent
Together with ShiftRows, MixColumns provides diffusion in the cipher
Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2
For each round, a round key is derived from the main key using Rijndael's key schedule
The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR
Move 0 round key into the loop
Swap SubBytes and ShiftRows operations (order of bytes affects
only the order of substitutions not the
result at all)
Combine AddShiftedRoudKey and
SubBytes into Nr substitution tables (one
for each round).
Name such tables T-tables and will calculate them as following:
Since the MixColumns is a linear transformation,
it can also be implemented using
couple of tables
MixColumns step can be decomposed into an exclusive-or of four 32-bit values
4 x TyTables each with 256 entries (one for every possible byte value)
XOR operation also could easily be implemented
using substitution tables
More information can be found in §4 of A Tutorial on White-box AES by
James Muir
For more security Chow suggest to apply to the state in every round
invertible mixing bijections and external
encodings
Comics styled AES http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html
Website with aggregated information about white-box cryptography http://www.whiteboxcrypto.com/
A Tutorial on White-box AES by James Muir https://ccsl.carleton.ca/~jamuir/papers/wb-aes-tutorial.pdf
Some example implementations of White-box AES and attacks on it https://github.com/openwhitebox