applying white-box cryptography sobenet user group meeting october 8, 2004 brecht wyseur
TRANSCRIPT
Applying White-Box Cryptography
SoBeNet user group meetingOctober 8, 2004
Brecht Wyseur
SoBeNet – Track 3“Software Tamper Resistance” COSIC – Computer Security and Industrial
Cryptography Members
Prof. Bart Preneel Jan Cappaert Brecht Wyseur
Project Involvement Obfuscation (Jan) White-Box Cryptography (Brecht)
Overview
Problem Description State-Of-The-Art White-Box Transformations Pro’s and Cons Future Research
Problem Description
Quite easy to find stored or embedded keys
Shamir et al.: Playing hide and seek with stored keys Algebraic attack on RSA key Attack through entropy data
Key information
White-Box Cryptography (chow et al. 2002)
White-box attack context (WBAC)a.k.a. Malicious host attack context
Full-privileged attack software shares a host with cryptographic software, having complete access to the implementation of algorithms;
Dynamic execution (with instantiated cryptographic keys) can be observed;
Internal algorithm details are completely visible and alterable at will.
The attacker's objective is to extract the cryptographic key, e.g. For use on a standard implementation of the same algorithm on a different platform.
Applications
Software AgentsEmbedded cryptographic keys for signing
purposes Digital Rights Management (DRM) Smart Card Technology Asymmetric crypto system
State-Of-The-Art
Sander et al.: Impossible situation to secure August 2002 – Chow et al.
A White-Box DES Implementation A White-Box AES Implementation
Link et al. – Security issues and improvements
“Choice of implementation the sole remaining line of defense”
General idea (1)Expanding the cryptographic border
External function encoding
Attacker: Analyse Isolate random bijections Analyse to find
Goal: make isolation difficult
'k kE g E f
'kE
,g f
kE k
Cryptographicalgorithm
Authentication
code
…
General Idea (2)Spreading embedded secret information
Thus forcing an attacker to understand a greater part of the implementation
KEY
How?
White-Box
Transformations
Transform an algorithm into a series of key-dependant lookup tables
White-Box Transformations
Partial Evaluation Combined Function Encoding By-Pass Encoding Split Path Encoding …
Techniques apply on cryptographic algorithms build with XOR, substitution and permutation functions
AES, DES, …
White-Box Transformations (2)
Partial Evaluation
)( kxSTk
6
4
S
Definition of a new key-dependant lookup table
kT
k
Internal Function Encoding
AA
BB
A’A’
B’B’
gBB
AfA
'
'
Encoded version:
1 fg
ff
gg
Choose random bijection
and
f
White-Box Transformations (3)
Local Security
Internal function encoding provides local security
A’ is known. Because the bijection f is random, no information can be revealed of A
(similar to one time path)
Global Security
Currently no proof Can we guarantee white-box security?
Trade-off between performance and level of security
AES: Cryptanalysis by Billet et al. (2004)
Some Numbers
DESChow et al.: 4,54 Mb Improvement by Link et al.: 2,25 Mb
AESNormal implementation: 4.352 bytesChow et al.: 770.048 bytes
177 times bigger, 55 times slower3104 lookups
Pro’s and Cons
Pro’sExpansion of cryptographic boundariesDiversity by injection of random bijections
ConsPerformance reduction Implementation sizeLack of proof of security
Future Research
Development of new techniques Algebraic transformations Dynamic key implementations
Proof of security Development of an automated application tool Improve security with Obfuscation techniques