Applying White-Box Cryptography

SoBeNet user group meetingOctober 8, 2004

Brecht Wyseur

SoBeNet – Track 3“Software Tamper Resistance” COSIC – Computer Security and Industrial

Cryptography Members

Prof. Bart Preneel Jan Cappaert Brecht Wyseur

Project Involvement Obfuscation (Jan) White-Box Cryptography (Brecht)

Overview

Problem Description State-Of-The-Art White-Box Transformations Pro’s and Cons Future Research

Problem Description

Quite easy to find stored or embedded keys

Shamir et al.: Playing hide and seek with stored keys Algebraic attack on RSA key Attack through entropy data

Key information

White-Box Cryptography (chow et al. 2002)

White-box attack context (WBAC)a.k.a. Malicious host attack context

Full-privileged attack software shares a host with cryptographic software, having complete access to the implementation of algorithms;

Dynamic execution (with instantiated cryptographic keys) can be observed;

Internal algorithm details are completely visible and alterable at will.

The attacker's objective is to extract the cryptographic key, e.g. For use on a standard implementation of the same algorithm on a different platform.

Applications

Software AgentsEmbedded cryptographic keys for signing

purposes Digital Rights Management (DRM) Smart Card Technology Asymmetric crypto system

State-Of-The-Art

Sander et al.: Impossible situation to secure August 2002 – Chow et al.

A White-Box DES Implementation A White-Box AES Implementation

Link et al. – Security issues and improvements

“Choice of implementation the sole remaining line of defense”

General idea (1)Expanding the cryptographic border

External function encoding

Attacker: Analyse Isolate random bijections Analyse to find

Goal: make isolation difficult

'k kE g E f

'kE

,g f

kE k

Cryptographicalgorithm

Authentication

code

…

General Idea (2)Spreading embedded secret information

Thus forcing an attacker to understand a greater part of the implementation

KEY

How?

White-Box

Transformations

Transform an algorithm into a series of key-dependant lookup tables

White-Box Transformations

Partial Evaluation Combined Function Encoding By-Pass Encoding Split Path Encoding …

Techniques apply on cryptographic algorithms build with XOR, substitution and permutation functions

AES, DES, …

White-Box Transformations (2)

Partial Evaluation

)( kxSTk

6

4

S

Definition of a new key-dependant lookup table

kT

k

Internal Function Encoding

AA

BB

A’A’

B’B’

gBB

AfA

'

'

Encoded version:

1 fg

ff

gg

Choose random bijection

and

f

White-Box Transformations (3)

Local Security

Internal function encoding provides local security

A’ is known. Because the bijection f is random, no information can be revealed of A

(similar to one time path)

Global Security

Currently no proof Can we guarantee white-box security?

Trade-off between performance and level of security

AES: Cryptanalysis by Billet et al. (2004)

Some Numbers

DESChow et al.: 4,54 Mb Improvement by Link et al.: 2,25 Mb

AESNormal implementation: 4.352 bytesChow et al.: 770.048 bytes

177 times bigger, 55 times slower3104 lookups

Pro’s and Cons

Pro’sExpansion of cryptographic boundariesDiversity by injection of random bijections

ConsPerformance reduction Implementation sizeLack of proof of security

Future Research

Development of new techniques Algebraic transformations Dynamic key implementations

Proof of security Development of an automated application tool Improve security with Obfuscation techniques