THE KEY RECOVERY ATTACKS CRYPTOGRAPHY IMPLEMENTATIONS AGAINST COMMERCIAL WHITE BOX SANGHWAN AHN(H2SPICE), LINE CORPORATION

Size: px

Start display at page:

Download "THE KEY RECOVERY ATTACKS CRYPTOGRAPHY IMPLEMENTATIONS AGAINST COMMERCIAL WHITE BOX SANGHWAN AHN(H2SPICE), LINE CORPORATION"

Hillary Copeland
6 years ago
Views:

1 THE KEY RECOVERY ATTACKS AGAINST COMMERCIAL WHITE BOX CRYPTOGRAPHY IMPLEMENTATIONS SANGHWAN AHN(H2SPICE), LINE CORPORATION

2 AGENDA Introduction WHITE-BOX CRYPTOGRAPHY White-box Cryptanalysis Conclusion

3 INTRODUCTION

4 CRYPTO SYSTEM IN THE SOFTWARE

5 WHITE-BOX THREAT MODEL Binary is completely visible to an attacker Attacker has full access to the cryptography algorithm Attacker has full control over its execution environment Unlimited amount of queries

6 SECURE ELEMENT Trusted execution environment(tee) ARM Trustzone, Intel SGX, AMD Memory Encryption It s almost safe, but not many supported devices (mostly latest devices) White-box cryptography(wbc) All academic WBC solutions have been broken No attack has been observed to date on commercial WBC

7 WHITE-BOX CRYPTOGRAPHY

8 WHITE-BOX AES IMPLEMENTATION Key PlainText PlainText SubBytes ShiftRows WBC MixColumns AddRoundKey CipherText CipherText

9 KEY PARTIAL EVALUATION Key Input x Sbox ( x key ) Tbox

10 unsigned int Tboxes[9][16][256] = { /*First Round, K[0] is 0x6c*/ { 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, 0xcf45458a, 0x10f9f9e9, 0x , 0x817f7ffe, 0xc , 0xd74d4d9a, 0x , 0x , 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, 0x , 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x , 0xad92923f, 0xbc9d9d21, 0x , 0x04f5f5f1, 0xf35151a2, 0xfea3a35d, 0xc , 0x8a8f8f05, 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x , 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, 0x , 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, 0xf55353a6, 0x68d1d1b9, 0x , 0x2cededc1, 0x937171e2, 0x73d8d8ab, 0x , 0x3f15152a, 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, 0x26ebebcd, 0x e, 0xcdb2b27f, 0x9f7575ea, 0x e, 0x , 0x9b80801b, 0x3de2e2df, 0x , 0xa , 0x0f05050a, 0xb59a9a2f, 0x0c040408, 0x52c7c795, 0x , 0x5ec3c39d, 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, 0x , 0x , 0xa96767ce, 0x7d2b2b56, 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, 0x49cece87, 0xff5555aa, 0x , 0x7adfdfa5, 0xb69b9b2d, 0x221e1e3c, 0x , 0x20e9e9c9, 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa , 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x , 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c, 0xc , 0xb , 0x772d2d5a, 0x110f0f1e, 0xdabfbf65, 0x31e6e6d7, 0xc , 0xb86868d0, 0x8f8c8c03, 0xf8a1a159, 0x , 0x170d0d1a, 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, 0x , 0x58c1c199, 0x271d1d3a, 0xb99e9e27, 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, 0xd , 0x , 0x01f6f6f7, 0x120e0e1c, 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, 0xa , 0xa , 0x37e4e4d3, 0x8b7979f2, 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, 0x3be0e0db, 0x , 0x4e3a3a74, 0x1e0a0a14, 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x , 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, 0x32e7e7d5, 0x43c8c88b, 0x e, 0xb76d6dda, 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, 0xe15f5fbe, 0xa , 0xcc444488, 0x e, 0x4ccdcd81, 0x140c0c18, 0x , 0x2fececc3, 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, 0x , 0x7e2a2a54, 0xab90903b, 0x b, 0xa06060c0, 0x , 0xd14f4f9e, 0x7fdcdca3 },...

11 TABLE BASED AES IMPLEMENTATION ShiftRows T-Box AddRoundKey SubByte XOR Table MixColumns

12 EXAMPLE Reference :

13 ENCODING A * A -1 = I(identity matrix) IN A 0 A 0-1 A 2 A 2-1 A n-1-1 T 0 T 1 T 2 T n A 1 A 1-1 A 3 A n Obfuscated T 0` Obfuscated T 1` Obfuscated T 2` Obfuscated T n` A n -1 OUT

14 ENCODING A * A -1 = I(identity matrix) IN A 0 A 0-1 A 2 A 2-1 A n-1-1 Cancelled Cancelled Cancelled T 0 T 1 T 2 T n A 1 A 1-1 A 3 A n Cancelled A n -1 Cancelled OUT

15 NETWORK OF LOOK-UP TABLES

16 COMPARISON OF AES AND WB-AES Cryptographic key is not visible Cryptographic operations are obfuscated, randomized Key PlainText PlainText SubBytes ShiftRows WBC MixColumns AddRoundKey CipherText CipherText

WHITE-BOX CRYPTANALYSIS Academic WBC Implementations Karroumi's white-box AES implementation OpenWhiteBox Challenges in CTF Commercial WBC Implementations Simple cipher for performance Complex cipher

17 WHITE-BOX CRYPTANALYSIS Academic WBC Implementations Karroumi's white-box AES implementation OpenWhiteBox Challenges in CTF Commercial WBC Implementations Simple cipher for performance Complex cipher for security

18 COMMERCIAL WHITE-BOX PRODUCTS Secret Key 4A 32 4D C E 6B 32 4D 4A 30 WB Engine It's very difficult to recover protected key to plain secret key Protected Key 49 D8 AD DC 2B AE 89 D1 EE 67 D0 5F CB F3 5C D B4 93 F1 63 D8 51 DC 58 BB DA E0 9A 60 0B 11 6E B9 53 0E 66 F AC 80 7D F7 DA 02 DF AE B4 5F 9E 7F C3 95 5B D6 7A 81 4E 75 7D CE A 5E D DA E0 2D 2B AE D8

19 POWER ANALYSIS Recode intermediate computation result And then compare it and subkey guessed PlainText Determine to point intermediate computation values and capture them Sbox ( x gkn ) 0.1 subkey guess Analysis trace1 trace2 trace3 trace4 trace5 trace CipherText

20 POWER ANALYSIS ON THE HARDWARE Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds) Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough

21 POWER ANALYSIS ON THE HARDWARE Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds) Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough

22 POWER ANALYSIS ON THE SOFTWARE Typical example of a portion of a serialized software trace of stack writes in an WBAES-128, with only two possible values: 0 or 1 Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough

23 CORRELATION POWER ANALYSIS(CPA) The correlation between the sensitive data and the power consumption for the 256 key guesses for a single byte Reference : W. Hnath, J. Pettengill, Differential Power Analysis Side-Channel Attacks in Cryptography, Major Qualifying Project, Worcester Polytechnic Institute, April 2010

CORRELATION POWER ANALYSIS(CPA) The correlation between the sensitive data and the power consumption for the 256 key guesses for 16 byte Reference : W.

24 CORRELATION POWER ANALYSIS(CPA) The correlation between the sensitive data and the power consumption for the 256 key guesses for 16 byte Reference : W. Hnath, J. Pettengill, Differential Power Analysis Side-Channel Attacks in Cryptography, Major Qualifying Project, Worcester Polytechnic Institute, April 2010

25 Reference : Kevin Meritt, Differential Power Analysis attacks on AES CRYPTOGRAPHIC PRIMITIVE Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)

26 SOFTWARE EXECUTION TRACE WITH DBI [.code execution] start_addr end_addr : c1b7 : c1d0 instruction info c1b7: mov eax, dword ptr [ebp + 8] c1ba: add dword ptr [ebx + 0x550], c1c1: mov edx, dword ptr [eax + 0x228] c1c7: mov edi, dword ptr [eax + 0x224] c1cd: mov dword ptr [ebp - 0x44], edx c1d0: jmp 0x400b3c1 [.mem read] code_addr : c1b7 mem_addr : beef7470 size : 4 data : 805b0204 [.mem read] code_addr : c1b7 mem_addr : beef7470 size : 4 data : 805b0204 [.mem read] code_addr : c1ba mem_addr : size : 4 data : 2f [.mem write] code_addr : c1ba mem_addr : size : 4 data : [.mem write] code_addr : c1c1 mem_addr : da8 size : 4 data : 347b0608 [.mem write] code_addr : c1c7 mem_addr : da4 size : 4 data :

27 VISUALIZED MAP OF OPEN-SOURCE WBAES-128 Time Memory Address Write Read Execution

28 VISUALIZED MAP OF OPEN-SOURCE WBAES-128 Time Memory Address Write Read Execution

29 WBAES-128 KEY RECOVERY WITH CPA rank 1 rank 2 rank 3 rank 4 rank 5 rank 6 rank 7 rank 8 rank 9 rank 10 key 1 0x2b ( ) 0x07 ( ) 0xc1 ( ) 0xee ( ) 0x08 (1.697) 0x0c ( ) 0x72 ( ) 0x2c ( ) 0x81 ( ) 0x0a ( ) key 2 0x7e ( ) 0x93 ( ) 0x06 ( ) 0x02 ( ) 0xa8 ( ) 0x54 ( ) 0x62 ( ) 0xb6 ( ) 0xe9 ( ) 0x86 ( ) key 3 0x15 ( ) 0xc8 ( ) 0xe4 ( ) 0x20 ( ) 0x92 ( ) 0x74 ( ) 0x1e ( ) 0x89 ( ) 0x43 ( ) 0xd6 ( ) key 4 0x16 ( ) 0xb5 ( ) 0x8f ( ) 0xbb ( ) 0x45 ( ) 0xe9 ( ) 0xcf ( ) 0xc2 ( ) 0x38 ( ) 0x6c ( ) key 5 0x28 ( ) 0x7d ( ) 0x5a ( ) 0xc9 ( ) 0x8e ( ) 0xfb (1.6714) 0xf3 ( ) 0x5b (1.6599) 0xaa ( ) 0x67 ( ) key 6 0xae (2.5603) 0x69 ( ) 0x8a ( ) 0xf5 ( ) 0xc4 ( ) 0xfe ( ) 0xa0 ( ) 0xe5 ( ) 0x98 (1.6579) 0xb8 ( ) key 7 0xd2 ( ) 0xb4 ( ) 0x5f ( ) 0xe0 ( ) 0xa1 ( ) 0x5a ( ) 0x8b ( ) 0x0b ( ) 0xcd ( ) 0x68 ( ) key 8 0xa6 ( ) 0x4b ( ) 0x9d ( ) 0x2d ( ) 0x01 (1.6456) 0x0d ( ) 0xbf ( ) 0xea ( ) 0xe7 ( ) 0x3e ( ) key 9 0xab (2.4717) 0x1d (1.7161) 0xc9 ( ) 0xe5 ( ) 0x7c ( ) 0x77 ( ) 0x2f ( ) 0xc4 ( ) 0xa1 ( ) 0x60 ( ) key 10 0xf7 ( ) 0xb8 ( ) 0xa4 ( ) 0x76 ( ) 0xc4 ( ) 0x17 ( ) 0xea ( ) 0xbe ( ) 0x8b (3.3548) 0x97 ( ) key 11 0x15 ( ) 0x16 ( ) 0xb6 ( ) 0x69 ( ) 0xbe ( ) 0x7b ( ) 0x41 (1.6857) 0x2f ( ) 0x91 ( ) 0x22 ( ) key 12 0x88 (2.8446) 0x3c ( ) 0xe4 ( ) 0x52 ( ) 0x79 ( ) 0x08 ( ) 0xb9 ( ) 0x40 ( ) 0x42 ( ) 0xb5 ( ) key 13 0x09 ( ) 0x96 ( ) 0xf2 ( ) 0xb4 ( ) 0x0d ( ) 0x6d ( ) 0x3f ( ) 0xaf ( ) 0x78 ( ) 0xe6 ( ) key 14 0xcf (2.3232) 0x19 ( ) 0x9a ( ) 0x3d ( ) 0x03 ( ) 0xe2 ( ) 0x07 ( ) 0xd2 ( ) 0x6f ( ) 0xca ( ) key 15 0x4f ( ) 0xd7 ( ) 0xce ( ) 0xad ( ) 0x45 ( ) 0x0e ( ) 0x62 ( ) 0x76 ( ) 0xc0 ( ) 0x48 ( ) key 16 0x3c ( ) 0x97 ( ) 0xa7 ( ) 0x5d ( ) 0x02 ( ) 0xea ( ) 0x07 ( ) 0x7e ( ) 0xe6 (1.6479) 0x29 ( )

30 VISUALIZED MAP OF SIMPLE-CIPHER Time Memory Address Write Read Execution

31 VISUALIZED MAP OF SIMPLE-CIPHER Time Memory Address the round pattern not found

32 TAINT ANALYSIS Object A Object B

33 TAINT ANALYSIS - PLAINTEXT TRACE Cryptographic primitive

34 TAINT ANALYSIS FOR SIMPLE-CIPHER 0x : (in /lib/i386-linux-gnu/libc-2.21.so) 0x42B34AE: (in /lib/i386-linux-gnu/libc-2.21.so) 0x42B34B3: (in /lib/i386-linux-gnu/libc-2.21.so) 0x42B34B8: (in /lib/i386-linux-gnu/libc-2.21.so) 0x42B34BD: (in /lib/i386-linux-gnu/libc-2.21.so) 0x8181ABA: (in Commercial-SimpleWB-AES) 0x8181AC4: (in Commercial-SimpleWB-AES) 0x8181ACC: (in Commercial-SimpleWB-AES) 0x8181AD0: (in Commercial-SimpleWB-AES) 0x8181AE0: (in Commercial-SimpleWB-AES) 0x8181AE4: (in Commercial-SimpleWB-AES) 0x8181AEE: (in Commercial-SimpleWB-AES) 0x8181AF2: (in Commercial-SimpleWB-AES) 0x8181B04: (in Commercial-SimpleWB-AES) 0x8181B08: (in Commercial-SimpleWB-AES) 0x8181B10: (in Commercial-SimpleWB-AES) 0x8181B14: (in Commercial-SimpleWB-AES) 0x8181B24: (in Commercial-SimpleWB-AES) 0x8181B28: (in Commercial-SimpleWB-AES) 0x8181B32: (in Commercial-SimpleWB-AES) Cryptographic primitive

35 VISUALIZED MAP OF SIMPLE-CIPHER Time Memory Address Write Read Execution

36 CPA ON THE SIMPLE-CIPHER rank 1 rank 2 rank 3 rank 4 rank 5 rank 6 rank 7 rank 8 rank 9 rank 10 key 1 0x4a ( ) 0x6b( ) 0xbe( ) 0x1e( ) 0x2e( ) 0x35( ) 0x65( ) 0x92( ) 0x1d( ) 0x58( ) key 2 0x32 ( ) 0xd0( ) 0xe8( ) 0xcc( ) 0x78( ) 0xdf( ) 0x17( ) 0x64( ) 0x79( ) 0x8a( ) key 3 0x4d ( ) 0xcc( ) 0x23( ) 0x91( ) 0xb9( ) 0xb3( ) 0x4e(3.2596) 0xa2( ) 0x8f( ) 0x04( ) key 4 0x72 ( ) 0x38( ) 0xdf(3.3211) 0x2f( ) 0xae( ) 0xa1( ) 0xf8( ) 0xd3( ) 0x1b( ) 0x8b( ) key 5 0x39 (4.1895) 0xc4( ) 0xbb( ) 0x8b( ) 0x7c( ) 0x8e( ) 0x13( ) 0x69(3.299) 0x9e( ) 0x89( ) key 6 0x33 ( ) 0x2d( ) 0xa8( ) 0xb8( ) 0x72( ) 0x48( ) 0x96( ) 0x4d( ) 0x23( ) 0x9a( ) key 7 0x33 ( ) 0xda( ) 0xc8( ) 0x23( ) 0x5f( ) 0x17( ) 0xd3( ) 0xe6( ) 0x64( ) 0x85( ) key 8 0x6c ( ) 0x21( ) 0xba(3.3402) 0xb3( ) 0x65( ) 0xaf( ) 0x1f( ) 0x61( ) 0x44( ) 0xc6( ) key 9 0x61 ( ) 0x8d( ) 0x68( ) 0x5f( ) 0x1e( ) 0xeb( ) 0x96( ) 0x13( ) 0x0c( ) 0xc0( ) key 10 0x54 ( ) 0x42( ) 0xd6( ) 0x5d( ) 0x3f(3.3665) 0xbc( ) 0x3a( ) 0xed( ) 0x2d( ) 0x14(3.3029) key 11 0x4e ( ) 0x74( ) 0x39( ) 0xee( ) 0x52( ) 0x68( ) 0x7b( ) 0x1a( ) 0x30( ) 0x16( ) key 12 0x6b ( ) 0xab( ) 0x28( ) 0xbc( ) 0xc1( ) 0x02( ) 0x07( ) 0x13( ) 0x75( ) 0xc0( ) key 13 0x32 ( ) 0x15( ) 0x72( ) 0xe9( ) 0x88( ) 0x52( ) 0x95( ) 0x6c( ) 0x2d( ) 0xc7( ) key 14 0x4d (3.4734) 0x7d( ) 0xcd( ) 0x8e( ) 0x5f( ) 0x0b( ) 0x10( ) 0xee( ) 0x7b(3.2615) 0x1a( ) key 15 0x4a ( ) 0x0a( ) 0x89( ) 0xaf( ) 0xf0(3.2857) 0xf1( ) 0xcd( ) 0x48( ) 0xc8( ) 0x87( ) key 16 0x30 ( ) 0xc0( ) 0xce(3.3276) 0x2c( ) 0xe9( ) 0x7b( ) 0x8f( ) 0x4e( ) 0x1c( ) 0xd6( )

37 VISUALIZED MAP OF COMPLEX-CIPHER Time Memory Address Write Read Execution

38 PLAINTEXT TRACE ON THE COMPLEX-CIPHER Plaintext Ciphertext

39 REVERSE ENGINEERING FOR COMPLEX CIPHER

41 COMPLEX-CIPHER CONTROL FLOW Function A Plaintext Function B Repeats many times Ciphertext

42 WHITE-BOX TABLE IN COMPLEX-CIPHER

43 FAULT ANALYSIS Modify intermediate data Record changes to the output Compare incorrect result and correct result PlainText PlainText Modify intermediate computation value CipherText(wrong) Compare correct and incorrect result CipherText(correct)

44 DIFFERENTIAL FAULT ANALYSIS(DFA) After ShiftRow9 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 Fault injected 1E 99 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 After Mixcolumns 7B C 29 D4 70 9F 8A E4 3A 42 CF A5 A6 BC K9 AC FA D1 5C 66 D F E After AddRoundKey9 D7 59 8B 1B 5E 2E A1 C3 EC C 84 E7 D2 After SubBytes10 0E C 3D AF E CE 07 7D 2C EB 5F 94 B5 After ShiftRows10 0E C 3D AF E 58 7D 2C CE 07 B5 EB 5F 94 K10 D0 C9 E1 B6 14 EE 3F 63 F9 25 0C 0C A8 89 C8 A6 Input = 3243F6A8885A308D313198A2E Cipher Key = 2B7E151628AED2A6ABF CF4F3C Output= D02DC09FBDC A0B32 = Output with faults DE 02 D D 11 3B C2 0B 1D Output without fault D D 11 6A B 1D FB Reference : P. Dusart, G. Letourneux and O. Vivolo, Differential Fault Analysis on A.E.S., Cryptology eprint Archive of IACR, No. 010, 2003

45 DIFFERENTIAL FAULT ANALYSIS(DFA) After ShiftRow9 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 Fault injected 1E 99 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 After Mixcolumns 7B C 29 D4 70 9F 8A E4 3A 42 CF A5 A6 BC K9 AC FA D1 5C 66 D F E After AddRoundKey9 D7 59 8B 1B 5E 2E A1 C3 EC C 84 E7 D2 After SubBytes10 0E C 3D AF E CE 07 7D 2C EB 5F 94 B5 After ShiftRows10 0E C 3D AF E 58 7D 2C CE 07 B5 EB 5F 94 K10 D0 C9 E1 B6 14 EE 3F 63 F9 25 0C 0C A8 89 C8 A6 Input = 3243F6A8885A308D313198A2E Cipher Key = 2B7E151628AED2A6ABF CF4F3C Output= D02DC09FBDC A0B32 = Output with faults DE 02 D D 11 3B C2 0B 1D Output without fault D D 11 6A B 1D FB = Error E Reference : P. Dusart, G. Letourneux and O. Vivolo, Differential Fault Analysis on A.E.S., Cryptology eprint Archive of IACR, No. 010, 2003

46 DIFFERENTIAL FAULT ANALYSIS(DFA) After ShiftRow9 87 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 Fault injected 1E 99 F2 4D 97 6E 4C 90 EC 46 E7 4A C3 A6 8C D8 95 After Mixcolumns 7B C 29 D4 70 9F 8A E4 3A 42 CF A5 A6 BC K9 AC FA D1 5C 66 D F E After AddRoundKey9 D7 59 8B 1B 5E 2E A1 C3 EC C 84 E7 D2 After SubBytes10 0E C 3D AF E CE 07 7D 2C EB 5F 94 B5 After ShiftRows10 0E C 3D AF E 58 7D 2C CE 07 B5 EB 5F 94 K10 D0 C9 E1 B6 14 EE 3F 63 F9 25 0C 0C A8 89 C8 A6 Input = 3243F6A8885A308D313198A2E Cipher Key = 2B7E151628AED2A6ABF CF4F3C Output= D02DC09FBDC A0B32 = Output with faults DE 02 D D 11 3B C2 0B 1D Output without fault D D 11 6A B 1D FB E Error Reference : P. Dusart, G. Letourneux and O. Vivolo, Differential Fault Analysis on A.E.S., Cryptology eprint Archive of IACR, No. 010, 2003

47 WHITE-BOX TABLE IN COMPLEX-CIPHER

48 WHITE-BOX TABLE IN COMPLEX-CIPHER

49 WHITE-BOX TABLE IN COMPLEX-CIPHER 1byte flip;0xbd!0x34

50 FAULTY CIPHERTEXT testtesttesttest 6CB721A5633DFD7F94A normal cipher-text testtesttesttest FF1E4C03844DD800CE9CF34C6B7EEAE8 faulty cipher-text

51 DFA ON COMPLEX-CIPHER Plaintext(in hex) Correct ciphertext 0x x6CB721A5633DFD7F94A Good faulty ciphertexts Final round key 0x8EB721A5633DFDB794A61E x6CD921A5113DFD7F94A x6CB740A563C5FD7F8BA A8 0x6CB DA97F94A447453D other 625 good faulty ciphertext 0x5CB2FAF4F3FB94543BFA87DFE92660FC

52 DFA ON COMPLEX-CIPHER Final round key Round 9 key Round 8 key Round 7 key Round 6 key Round 5 key Round 4 key Round 3 key Round 2 key Round 1 key Secret key 0x5CB2FAF4F3FB94543BFA87DFE92660FC 0xEC26DC41AF496EA0C801138BD2DCE723 0x36991EE3436FB2E167487D2B1ADDF4A8 0x9C3EF21C75F6AC022427CFCA7D xEB64C9D7E9C85E1E51D163C859B x305BC5E702AC97C9B8193DD xFAF69E0032F7522EBAB5AA1FB07A1857 0x78C1CC67C801CC2E8842F8310ACFB248 0x21177A74B0C F828D4A79 0xA8E D77A3DF C2CE7E66 0x4A324D C61544E6B324D4A30

53 CONCLUSION

54 THE WAY TO USE WBC SAFER IN APPS Be sure to keep basic rules No single key for everything No hardcoded key(protected key) No static IV External encoding Asymmetric crypto algorithm based on WBC RSA, Elliptic curves, Diffie Hellman Tamper resistant embedded integrity checksums Cryptographic key device binding device identifier + user identifier + external identifier(e,g, pin, biometric)

55 EXTERNAL ENCODING Sender Input Encode the input First round White-box Decode the input Final round Encode the output Decode the output Output Receiver

56 CRYPTOGRAPHIC KEY DEVICE BINDING Device identifier User identifier External identifier(e,g, pin, biometric)

57 FUTURE WORKS White-box version of crypto libraries Retrieve a master key embedded white-box engine Since the vulnerabilities have already been fixed, I will focus on finding other vulnerability.

58 THANK YOU

Technical Specification. Third Party Control Protocol. AV Revolution

Technical Specification. Third Party Control Protocol. AV Revolution Technical Specification Third Party Control Protocol AV Revolution Document AM-TS-120308 Version 1.0 Page 1 of 31 DOCUMENT DETAILS Document Title: Technical Specification, Third Party Control Protocol,