Transcript files.cnblogs.com
White-Box Cryptography
Outline
• Motivation • White-Box Cryptography • • White-Box Implementation White-Box In Practice • Conclusion
Motivation
Cryptography is widely used nowadays, attack still exists.
• Black-Box Attack Model • White-Box Attack Model
Black-Box Attack Model
• Tries to deduce the key from a list {(plaintext, ciphertext)}
Black-Box Attack Model
• Side-channel Attack • Executing time • Electromagnetic radiation • Power consumption
White-Box Attack Model
• Attacker has full control over software execution • Full access to the implementation of cryptography algorithm • Full access to the platform: CPU calls, memory, registers, etc.
• Binary completely visible • Can manipulate the execution
White-Box Attack Model
• Target for attack • Implementation of cryptography • Secret key
White-Box Attack Example
• Key Whitening Attack • Zero lookup tables(such as S-box) using hex editor • Getting output of penultimate operation • Original AES key easily be derived
White-Box Attack Example
• Entropy Attack • Object: Computer Memory • Keys: usually chose by random generator • Code: contains structure
White-Box Attack Example
• Format Analysis • Analyze binary code
White-Box Attack Example
• Code Boot Attack • Applicable to Bitlocker, TrueCrypt, FileVault • TrueCrypt boot loader • Password entered at boot time • Disk encryption key needs to be stored in memory • Attack: exploit data remanency property of DRAM, cooling increase time • Removed & inserted into another hacked machine to read data, such as crypto keys
Outline
• Motivation • White-Box Cryptography • • White-Box Implementation White-Box In Practice • Conclusion
Object
• Hide a cryptography key in a white-box implementation
A Naive Example
• Implement a cipher as one big lookup table } void encrypt (uint32_t* plaintext, uint32_t* ciphertext) { char S[] = { 0x9e37b8e9, 0xaf48c9fa, 0x8d26a7d8, … }; /* Sbox */ ciphertext = S[plaintext]; • No more information ‘leaks’ from the set of {(plaintext, ciphertext)} • Lookup Table size: For n-bit block cipher, size would be n*2 n bit • 32 bit: 2 32 *32 bit =2 37 bit=4 GBytes • Using a network of lookup table instead
What is White-Box Cryptography?
• Definition • • • D wb (m): need ONE input D k (m): need TWO input Essentially, D wb (m) is the exclusive edition of D k (m) with specific cipher key.
What is White-Box Cryptography?
• Main Idea • Embed both the fixed key & random data in a composition.
• Hard to derive the original key.
• Attacker knows which crypto algorithm • Attacker knows where in the memory • Attacker knows where in the application
What is White-Box Cryptography?
• State of Art • Unfortunately, there is no white-box cryptography proved to be secure • Current best method: hide keys according to characteristics of the specific crypto algorithm • Only white-box DES & AES published • Both have been broken • No academic paper on asymmetric primitives
What is White-Box Cryptography?
• State of Art • Interesting: • After some company buying white-box crypto solutions, they mix their own crypto, which is not recommended in crypto application.
• • For white-box crypto, this is reasonable.
Security of white-box crypto depends on how hard the cipher key is hidden, not the cipher primitives.
Outline
• Motivation • White-Box Cryptography • • White-Box Implementation White-Box In Practice • Conclusion
First White-Box Implementation
• Chow et al. 2002. A White-Box DES Implementation
for DRM Applications
• Chow et al. 2002. White-Box Cryptography and an
AES Implementation
Original DES
• • Basic operations: Replacing, Changing places, XOR Chow, et al.: Transform to randomized networked lookup tables closely related to the crypto key
White-Box DES
• Transform a cipher into a series of key-dependent lookup tables.
• Secret key is hard-code into the lookup tables • Protected by randomization techniques
Lookup Tables Example
• Lookup Tables: define every input & output • Any finite function can transform to a lookup table A 输入 输出 00 10 01 01 10 11 11 00 B 输入 输出 00 0 01 1 10 1 11 0 • • • Table A: Replacing Operation Table B: XOR Operation Table C: Negative Operation C 输入 输出 0 1 1 0
Lookup Tables Example
• All basic primitives in DES transform into lookup tables:
Divide and Conquer
• Attacker may recognize every lookup table and analyze each basic operation.
• Mix 3 tables into 1 big lookup table: A 输入 输出 00 10 01 01 10 11 11 00 B 输入 输出 00 0 01 1 10 1 11 0 C 输入 输出 0 1 1 0 C ◦ B ◦ A 输入 输出 00 0 01 0 10 1 11 1
Divide and Conquer
• BUT, the lookup table will become very huge.
• • For n bits input & m bits output, 2 n × m bits is required.
Solution: we need a series of networked lookup tables: L 1 ◦ L 2 ◦ L 3 ◦ …
Partial Evaluation
• • • Chow, et al. adopted partial evaluation to mix crypto keys with algorithm.
• D skey (m) D wb (m) In DES: • Some operation is fixed (e.g. changing place) Corresponding lookup tables are fixed -------- not affected by crypto keys • Some operation is NOT fixed (e.g. replacing using crypto key) Corresponding lookup tables are NOT fixed -------- affected by crypto keys • Attacker can distinguish the unfixed lookup tables by analyzing each table We need to randomize every lookup table • Making distinguishing more difficult
Internal Encodings
• • Considering 3 consecutive lookup tables in the network: L 3 ◦ L 2 ◦ L 1 , L 2 contains some key information.
• e.g. L 2 (x)=x ⊕ k Every lookup table is available to the white-box attacker • • The key information can be extracted directly e.g. L 2 (0)
Internal Encodings
• Countermeasure: Add internal encoding: • • • • b 1 , b 2 : randomization operations b 1 -1 , b 2 -1 : opposite operations L ’ 3 ◦ L ’ 2 ◦ L ’ 1 = L 3 ◦ b 2 -1 ◦ b 2 ◦ L 2 ◦ b 1 -1 ◦ b 1 ◦ L 1 = L 3 ◦ L 2 ◦ L 1 Now, L ’ 2 • does not leak any key information Attacker have to analyze all 3 encoded tables to gain information
Outline
• Motivation • White-Box Cryptography • • White-Box Implementation White-Box In Practice • Conclusion
Code Lifting
• Attacker: No need to know internal details, just need API.
• Embed the white-box implementation into his App.
• Still encrypt/decrypt data as having the key.
External Encodings
• Same as Internal Encodings.
• But not between 2 blocks inside cryptography implementation • But outside • Annihilating encoding somewhere else • e.g. incorporate into the decryption functions
•
Traitor Tracing
Object: Detect who has been sharing code (pirate) • Use case: DRM • Insert fingerprints into white-box implementation • Can also be used in software tamper resistance • Malware instructions can be detected • Any modification leads to lookup tables collapse
Conclusion
• Being used in real-world application, mainly DRM apps.
• Although academic attacks have been published • No attacks on commercial white-box implementation have been seen.
• White-box cryptography still in its early days • Requires further research before being widely adopted.