White-box CryptographyWhat do you do when they’re in your server room?

BayThreat

December 6th, 2013

!Nick Sullivan

@grittygrease

My Background• Systems Engineering at CloudFlare

• Cryptography at Apple

• Threat analysis at Symantec

• M.Sc. in Cryptography

• Undergraduate Pure Mathematics

2

What this talk is about• Introduction to white-box cryptography

• Why we need this now more than ever

• Key concepts for implementations

• Steps for the future — with an announcement

3

Let’s talk about physical access• If an attacker has physical access, they have everything, right?

• Cold Boot, Evil Maid, Jailbreak, etc.

• It only takes time

!

• Solution: Lock it up!

4

Let’s talk about physical access• What about servers?

• Where are modern servers kept?

• Your own data center?

• A “physically secure” co-location facility?

• On a virtual machine in the cloud?

• On a globally-distributed CDN?

• Under which national jurisdiction?

5

Server Breaches Happen• How long does it take to get your secrets?

• Reverse engineering skill of attacker

• Diminishing cost to attacker as skills and tools accumulate

!

• Wouldn’t it be great if there was a computational burden placed on the attacker for every new secret?

• You could rotate your secrets on a fixed schedule

6

Standard Crypto Model (Black-box)

7

adversary icons: Sam Small

Alice Bob

Eve

Side-channel Attacks (Grey-box)

8

adversary icons: Sam Small

Alice Bob

Eve

White-box threat model

9

adversary icons: Sam Small

Alice Bob

Eve

White-box threat model

10

adversary icons: Sam Small

Aleve Bob

White-box Cryptography• Cryptographic implementations that hide the key from everyone

• Attackers on the wire

• Attackers outside the house

• Attackers inside the house (evil maids included)

11

White-box cryptography• Protection against key extraction in the strongest possible threat model

• Secures keys, not data

• White-box attackers no better off than black-box attackers

12

For Example• Digital Rights Management

• The key protecting streams from Spotify, Netflix, etc.

• Decryption and consumption of content happens in a controlled way

• The attacker is the consumer “Aleve”

13

White-box cryptography• History

• Invented in 2002 by Chow et al.

• Resurgence in academic attention in last two years — breaks, new constructions

• Work in progress

• No perfect white-boxes, only relatively strong ones

• General function obfuscator is not possible (Barak, 2001)

• Ciphers are not proven to be impossible to obfuscate

14

What does it get you?• Attackers cannot transform the key into a known form

• Algorithm or code has to be lifted or leveraged

• Prevents BORE (break once run everywhere) attacks

• Can’t plug into standard cryptography libraries

• Nation-state attackers use specialized hardware

• Traitor tracing

• You can rotate keys on a schedule since cost to break is bounded

15

Which algorithms?• Symmetric Key Cryptography

• DES

• AES

!

• Public Key Cryptography?

• RSA (maybe?)

• ECC (maybe?)

16

Example Implementation• 128-bit AES

• 16 byte key, 16 byte message block

• What about replacing implementation with a lookup table?

• Map from input to output indexed by order

• Lookup table has minimal information about structure of algorithm — black box

• 2^128 possible inputs of size 128bit

• Storage of 5 x 10^27 terabytes — too much

17

Example Implementation• AES Internals

• SubBytes — Byte-wise substitution

• ShiftRows — Permutation of bytes

• MixColumns — Linear combination of bytes

• AddRoundKeys — XOR a piece of the key

18

AES

19

Example Implementation• AddRoundKey, SubBytes

• Can be merged into one operation — byte-wise lookup table called a T-box

• MixColumns

• Linear combination — byte-wise lookup table for constants

• Nibble-wise lookup tables for linear factors

• Lots of lookup tables can be combined

20

Internal Encoding• Composition of functions

!

!

!

!

!

!

• Chaining random lookup tables

21

White-box compiler• Inputs

• White box description

• Random seed

• Key value

• Output

• Implementation of encryption/decryption for given key

22

4663900

Costs• Key size — Pre-scheduling causes key inflation

• Memory cost — Large lookup tables

• Performance cost — 5-10x in some cases

• Engineering cost — Integration, other anti-tampering techniques

23

In the industry• Mostly licensed for digital rights management — $$$

• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)

!

• No commercial grade open source implementation

• An affordable solution is needed

24

Introducing Open WhiteBox

25

Introducing Open WhiteBox• Group of individuals working to make white box cryptography accessible to the public

• Open source white box compiler (using LLVM)

• Working towards implementation of best current academic proposals

• Initial focus on server-side applications

!

• Participate in the conversation on Twitter @OpenWhiteBox

26

Questions?

27

BayThreat

December 6th, 2013

!Nick Sullivan

@grittygrease

@OpenWhiteBox