White-Box Cryptography

1 / 34

# White-Box Cryptography - PowerPoint PPT Presentation

White-Box Cryptography. Outline. Motivation White-Box Cryptography White-Box Implementation White-Box In Practice Conclusion. Motivation. Cryptography is widely used nowadays, attack still exists. Black-Box Attack Model White-Box Attack Model. Black-Box Attack Model.

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.

## PowerPoint Slideshow about 'White-Box Cryptography' - tracen

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

### White-Box Cryptography

Outline
• Motivation
• White-Box Cryptography
• White-Box Implementation
• White-Box In Practice
• Conclusion
Motivation

Cryptography is widely used nowadays, attack still exists.

• Black-Box Attack Model
• White-Box Attack Model
Black-Box Attack Model
• Tries to deduce the key from a list {(plaintext, ciphertext)}
Black-Box Attack Model
• Side-channel Attack
• Executing time
• Power consumption
White-Box Attack Model
• Attacker has full control over software execution
• Binary completely visible
• Can manipulate the execution
White-Box Attack Model
• Target for attack
• Implementation of cryptography
• Secret key
White-Box Attack Example
• Key Whitening Attack
• Zero lookup tables(such as S-box) using hex editor
• Getting output of penultimate operation
• Original AES key easily be derived
White-Box Attack Example
• Entropy Attack
• Object: Computer Memory
• Keys: usually chose by random generator
• Code: contains structure
White-Box Attack Example
• Format Analysis
• Analyze binary code
White-Box Attack Example
• Code Boot Attack
• Applicable to Bitlocker, TrueCrypt, FileVault
• Password entered at boot time
• Disk encryption key needs to be stored in memory
• Attack: exploit data remanency property of DRAM, cooling increase time
• Removed & inserted into another hacked machine to read data, such as crypto keys
Outline
• Motivation
• White-Box Cryptography
• White-Box Implementation
• White-Box In Practice
• Conclusion
Object
• Hide a cryptography key in a white-box implementation
A Naive Example
• Implement a cipher as one big lookup table
• Lookup Table size: For n-bit block cipher, size would be n*2n bit
• 32 bit: 232*32 bit =237 bit=4 GBytes
• Using a network of lookup table instead

void encrypt (uint32_t* plaintext, uint32_t* ciphertext) {

char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */

ciphertext = S[plaintext];

}

What is White-Box Cryptography?
• Definition
• Dwb(m): need ONE input
• Dk(m): need TWO input
• Essentially, Dwb(m) is the exclusive edition of Dk(m) with specific cipher key.
What is White-Box Cryptography?
• Main Idea
• Embed both the fixed key & random data in a composition.
• Hard to derive the original key.
• Attacker knows which crypto algorithm
• Attacker knows where in the memory
• Attacker knows where in the application
What is White-Box Cryptography?
• State of Art
• Unfortunately, there is no white-box cryptography proved to be secure
• Current best method: hide keys according to characteristics of the specific crypto algorithm
• Only white-box DES & AES published
• Both have been broken
• No academic paper on asymmetric primitives
What is White-Box Cryptography?
• State of Art
• Interesting:
• After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
• For white-box crypto, this is reasonable.
• Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.
Outline
• Motivation
• White-Box Cryptography
• White-Box Implementation
• White-Box In Practice
• Conclusion
First White-Box Implementation
• Chow et al. 2002. A White-Box DES Implementation for DRM Applications
• Chow et al. 2002. White-Box Cryptography and an AES Implementation
Original DES
• Basic operations: Replacing, Changing places, XOR
• Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key
White-Box DES
• Transform a cipher into a series of key-dependent lookup tables.
• Secret key is hard-code into the lookup tables
• Protected by randomization techniques
Lookup Tables Example
• Lookup Tables: define every input & output
• Any finite function can transform to a lookup table
• Table A: Replacing Operation
• Table B: XOR Operation
• Table C: Negative Operation
Lookup Tables Example
• All basic primitives in DES transform into lookup tables:
Divide and Conquer
• Attacker may recognize every lookup table and analyze each basic operation.
• Mix 3 tables into 1 big lookup table:
Divide and Conquer
• BUT, the lookup table will become very huge.
• For n bits input & m bits output, 2n×m bits is required.
• Solution: we need a series of networked lookup tables: L1 ◦ L2 ◦ L3 ◦ …
Partial Evaluation
• Chow, et al. adopted partial evaluation to mix crypto keys with algorithm.
• Dskey(m) Dwb(m)
• In DES:
• Some operation is fixed (e.g. changing place)

 Corresponding lookup tables are fixed -------- not affected by crypto keys

• Some operation is NOT fixed (e.g. replacing using crypto key)

Corresponding lookup tables are NOT fixed -------- affected by crypto keys

• Attacker can distinguish the unfixed lookup tables by analyzing each table
• We need to randomize every lookup table
• Making distinguishing more difficult
Internal Encodings
• Considering 3 consecutive lookup tables in the network: L3◦L2◦L1, L2 contains some key information.
• e.g. L2(x)=x⊕k
• Every lookup table is available to the white-box attacker
• The key information can be extracted directly
• e.g. L2(0)
Internal Encodings
• b1, b2: randomization operations
• b1-1, b2-1: opposite operations
• L’3◦ L’2◦ L’1= L3◦b2-1◦b2◦ L2◦b1-1◦b1◦ L1= L3◦ L2◦ L1
• Now, L’2 does not leak any key information
• Attacker have to analyze all 3 encoded tables to gain information
Outline
• Motivation
• White-Box Cryptography
• White-Box Implementation
• White-Box In Practice
• Conclusion
Code Lifting
• Attacker: No need to know internal details, just need API.
• Embed the white-box implementation into his App.
• Still encrypt/decrypt data as having the key.
External Encodings
• Same as Internal Encodings.
• But not between 2 blocks inside cryptography implementation
• But outside
• Annihilating encoding somewhere else
• e.g. incorporate into the decryption functions
Traitor Tracing
• Object: Detect who has been sharing code (pirate)
• Use case: DRM
• Insert fingerprints into white-box implementation
• Can also be used in software tamper resistance
• Malware instructions can be detected
• Any modification leads to lookup tables collapse
Conclusion
• Being used in real-world application, mainly DRM apps.
• Although academic attacks have been published
• No attacks on commercial white-box implementation have been seen.
• White-box cryptography still in its early days
• Requires further research before being widely adopted.