white box cryptography n.
Skip this Video
Loading SlideShow in 5 Seconds..
White-Box Cryptography PowerPoint Presentation
Download Presentation
White-Box Cryptography

Loading in 2 Seconds...

play fullscreen
1 / 34

White-Box Cryptography - PowerPoint PPT Presentation

  • Uploaded on

White-Box Cryptography. Outline. Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion. Motivation. Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model. Black-Box Attack Model.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'White-Box Cryptography' - tracen

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
  • Motivation
  • White-Box Cryptography
  • White-Box Implementation
  • White-Box In Practice
  • Conclusion

Cryptography is widely used nowadays, attack still exists.

  • Black-Box Attack Model
  • White-Box Attack Model
black box attack model
Black-Box Attack Model
  • Tries to deduce the key from a list {(plaintext, ciphertext)}
black box attack model1
Black-Box Attack Model
  • Side-channel Attack
    • Executing time
    • Electromagnetic radiation
    • Power consumption
white box attack model
White-Box Attack Model
  • Attacker has full control over software execution
    • Full access to the implementation of cryptography algorithm
    • Full access to the platform: CPU calls, memory, registers, etc.
    • Binary completely visible
    • Can manipulate the execution
white box attack model1
White-Box Attack Model
  • Target for attack
    • Implementation of cryptography
    • Secret key
white box attack example
White-Box Attack Example
  • Key Whitening Attack
    • Zero lookup tables(such as S-box) using hex editor
    • Getting output of penultimate operation
    • Original AES key easily be derived
white box attack example1
White-Box Attack Example
  • Entropy Attack
    • Object: Computer Memory
    • Keys: usually chose by random generator
    • Code: contains structure
white box attack example2
White-Box Attack Example
  • Format Analysis
    • Analyze binary code
white box attack example3
White-Box Attack Example
  • Code Boot Attack
    • Applicable to Bitlocker, TrueCrypt, FileVault
    • TrueCrypt boot loader
      • Password entered at boot time
      • Disk encryption key needs to be stored in memory
    • Attack: exploit data remanency property of DRAM, cooling increase time
    • Removed & inserted into another hacked machine to read data, such as crypto keys
  • Motivation
  • White-Box Cryptography
  • White-Box Implementation
  • White-Box In Practice
  • Conclusion
  • Hide a cryptography key in a white-box implementation
a naive example
A Naive Example
  • Implement a cipher as one big lookup table
  • No more information ‘leaks’ from the set of {(plaintext, ciphertext)}
  • Lookup Table size: For n-bit block cipher, size would be n*2n bit
    • 32 bit: 232*32 bit =237 bit=4 GBytes
  • Using a network of lookup table instead

void encrypt (uint32_t* plaintext, uint32_t* ciphertext) {

char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */

ciphertext = S[plaintext];


what is white box cryptography
What is White-Box Cryptography?
  • Definition
    • Dwb(m): need ONE input
    • Dk(m): need TWO input
    • Essentially, Dwb(m) is the exclusive edition of Dk(m) with specific cipher key.
what is white box cryptography1
What is White-Box Cryptography?
  • Main Idea
    • Embed both the fixed key & random data in a composition.
    • Hard to derive the original key.
      • Attacker knows which crypto algorithm
      • Attacker knows where in the memory
      • Attacker knows where in the application
what is white box cryptography2
What is White-Box Cryptography?
  • State of Art
    • Unfortunately, there is no white-box cryptography proved to be secure
    • Current best method: hide keys according to characteristics of the specific crypto algorithm
    • Only white-box DES & AES published
      • Both have been broken
    • No academic paper on asymmetric primitives
what is white box cryptography3
What is White-Box Cryptography?
  • State of Art
    • Interesting:
      • After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
      • For white-box crypto, this is reasonable.
      • Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.
  • Motivation
  • White-Box Cryptography
  • White-Box Implementation
  • White-Box In Practice
  • Conclusion
first white box implementation
First White-Box Implementation
  • Chow et al. 2002. A White-Box DES Implementation for DRM Applications
  • Chow et al. 2002. White-Box Cryptography and an AES Implementation
original des
Original DES
  • Basic operations: Replacing, Changing places, XOR
  • Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key
white box des
White-Box DES
  • Transform a cipher into a series of key-dependent lookup tables.
  • Secret key is hard-code into the lookup tables
    • Protected by randomization techniques
lookup tables example
Lookup Tables Example
  • Lookup Tables: define every input & output
    • Any finite function can transform to a lookup table
  • Table A: Replacing Operation
  • Table B: XOR Operation
  • Table C: Negative Operation
lookup tables example1
Lookup Tables Example
  • All basic primitives in DES transform into lookup tables:
divide and conquer
Divide and Conquer
  • Attacker may recognize every lookup table and analyze each basic operation.
  • Mix 3 tables into 1 big lookup table:
divide and conquer1
Divide and Conquer
  • BUT, the lookup table will become very huge.
    • For n bits input & m bits output, 2n×m bits is required.
    • Solution: we need a series of networked lookup tables: L1 ◦ L2 ◦ L3 ◦ …
partial evaluation
Partial Evaluation
  • Chow, et al. adopted partial evaluation to mix crypto keys with algorithm.
    • Dskey(m) Dwb(m)
  • In DES:
    • Some operation is fixed (e.g. changing place)

 Corresponding lookup tables are fixed -------- not affected by crypto keys

    • Some operation is NOT fixed (e.g. replacing using crypto key)

Corresponding lookup tables are NOT fixed -------- affected by crypto keys

  • Attacker can distinguish the unfixed lookup tables by analyzing each table
  • We need to randomize every lookup table
    • Making distinguishing more difficult
internal encodings
Internal Encodings
  • Considering 3 consecutive lookup tables in the network: L3◦L2◦L1, L2 contains some key information.
    • e.g. L2(x)=x⊕k
  • Every lookup table is available to the white-box attacker
    • The key information can be extracted directly
    • e.g. L2(0)
internal encodings1
Internal Encodings
  • Countermeasure: Add internal encoding:
  • b1, b2: randomization operations
  • b1-1, b2-1: opposite operations
  • L’3◦ L’2◦ L’1= L3◦b2-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1
  • Now, L’2 does not leak any key information
    • Attacker have to analyze all 3 encoded tables to gain information
  • Motivation
  • White-Box Cryptography
  • White-Box Implementation
  • White-Box In Practice
  • Conclusion
code lifting
Code Lifting
  • Attacker: No need to know internal details, just need API.
    • Embed the white-box implementation into his App.
    • Still encrypt/decrypt data as having the key.
external encodings
External Encodings
  • Same as Internal Encodings.
    • But not between 2 blocks inside cryptography implementation
    • But outside
  • Annihilating encoding somewhere else
    • e.g. incorporate into the decryption functions
traitor tracing
Traitor Tracing
  • Object: Detect who has been sharing code (pirate)
    • Use case: DRM
  • Insert fingerprints into white-box implementation
  • Can also be used in software tamper resistance
    • Malware instructions can be detected
      • Any modification leads to lookup tables collapse
  • Being used in real-world application, mainly DRM apps.
  • Although academic attacks have been published
    • No attacks on commercial white-box implementation have been seen.
  • White-box cryptography still in its early days
    • Requires further research before being widely adopted.