Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

Transcription

1 Unboxing the whitebox Jasper van CTO Riscure North America ICMC 16

2 Riscure Certification Pay TV, EMVco, smart meter, CC Evaluation & consultancy Mobile (TEE/HCE/WBC) Secure architecture / design Tools Side channel analysis, fault injection Training Whitebox crypto, SCA, FI

3 Protecting the keys Secure Environment Key Plain Text Crypto Cipher Text Internal state needs to be protected

4 What and why White-Box cryptography -> secure software crypto in an untrusted environment Being used today in Pay TV DRMs, mobile payments, This talk: applying hardware attack concepts to software environments

5 Introduction Key recovery attacks Conclusion

6 Sign of the times

7 Sign of the times

8 Software in the White-Box context Input Output Business logic I/O Crypto key Can be modified at will Direct access

9 White-Box Cryptography Protection against key extraction in the white-box security model A technique that allows merging a key into a given crypto algorithm: Described for the first time in 2002 by S. Chow et al. Available for AES and DES Lookup tables used for applying mathematical transforms to data Remove the distinction between keys and crypto algorithm code. Pure WBC weakness: cloning/lifting

10 How does WBC work? Image source: whiteboxcrypto.com

11 WBC Construction: partial evaluation in S out key in T out

12 WBC Construction: encoding Internal encoding in DECODE T ENCODE out in T out

13 External encoding E(INPUT) DECODE WB AES ENCODE E (OUTPUT) DECODE S1 ENCODE DECODE S2 ENCODE DECODE Sn ENCODE ENCODE Sending Process DECODE Receiving Process

14 WBC attack literature Attacks for all academic WBC proposals Focus on key extraction Type of transformations assumed known Concrete transformation and key unknown In real life we do not know much about the design! Not many publicly documented SCA/FI on WBC Implementation-specific DFA paper in 2002 [2] Recent generic DPA-like attack in [3]* * Authors coined the term Differential Computational Analysis

15 Potential attacks on WBC (I) Side channel analysis (SCA) / intermediate data analysis Observe data here and compare it to expected data here

16 Potential attacks on WBC (II) Data manipulation Fault Injection (FI) Modify data here and observe changes to the output

17 Potential attacks on WBC (III) Process manipulation Fault injection (FI) Modify code flow here and observe changes to the output

18 Introduction Key recovery attacks Conclusion

19 Fault Injection Attacks on WBC

20 Differential Fault Analysis Correct result Correct result Correct result Correct result Faulty result Faulty result Faulty result Faulty result

21 DFA computation for DES K 15 R 16 = F(R 15, K 16 ) L 15 L 15 R 15 K 16 R 16 = F(R 15, K 16 ) L 15 R 16 L 16 R 16 L 16 XOR R 16 R 16 = F(R 15, K 16 ) F(R 15, K 16 )

22 How to port DFA to WBC?

23 DFA attack process 1. Location of fault injection point 2. Fault injection and ciphertext collection Multiple options available 3. Fault analysis We use our own tools Some AES DFA examples on GitHub

24 Example target: wbdes Binary DES encryption WBC Challenge posted at whiteboxcrypto.com DES key hidden within lookups Key value is 0x30 0x32 0x34 0x32 0x34 0x36 0x32 0x36 We ll demo all our attacks on this target

25 STEP 1: Locating the injection point Red: writes Green: reads Stack space Target area Event counter

26 STEP 2: Fault injection 1. Select target event within target region 2. Modify data read by that event 3. Collect input/output pairs If event id within target region Invert a random bit

27 STEP 3: Analysis DEMO

28 Demo screenshots

29 Summary DFA results Implementation Fault injection Results Wyseur (DES) Unicorn script Broken in 40 faults Hack.lu 2009 (AES) SSTIC 2012 (DES) Karroumi (AES) NSC 2013 (encoded AES) Debugger script Modified lifted code Modified source code N/A Broken in 90 faults Broken in 60 faults Broken in 80 faults Not broken encoding makes DFA not feasible

30 Side Channel Attacks on WBC

31 What is a DPA attack? Differential Power Analysis attack First proposed ~1998 by Paul Kocher to attack on smart cards: ü Measuring power consumption of a crypto execution ü Take multiple measurements for different inputs ü Infer information about the key from the difference of these

32 Differential trace Group by known data Average trace Subtract DifferenPal trace

33 Hypothesis testing

34 Generalization of differential SCA attacks Take muliple measurements of behavior of crypto operaions for different data Predict behavior for sub keys based on the same data and leakage model Apply staisical methods to disinguish the best sub key Difference of means CorrelaIon Mutual InformaIon analysis, Linear regression analysis, Find correct guesses for all sub keys to determine key

35 To our surprise. It works on White Box Crypto out-of-the-box!!!

36 SCA attack process 1. Instrument WBC to collect measurements Again: 2. Execute WBC with random inputs multiple times 3. Collect measurement input/output pairs in useable form 4. SCA Analysis

37 STEP1: Capture measurement Grab the data using any method that fits your target Instrument execution (eg. PIN, Valgrind) Capture stack snapshots per crypto round (Hooking, debugger) Use emulators and record (QEMU, Unicorn, PANDA) Capture any information during execution that might leak All reads/writes to memory Lower bits of addresses of memory accesses All register contents

38 STEP2+3: Execute + Collect Provide/inject random input data, capture output data Program arguments Use instrumentation from STEP 1 Store it in a way that allows testing key guesses Store as single bit samples Assure alignment between multiple captures

39 STEP 4: SCA Analysis Same target as for DFA: wbdes Same hidden key: 0x30 0x32 0x34 0x32 0x34 0x36 0x32 0x36 DEMO

40 Demo screenshots

41 Summary SCA results Implementati on Wyseur (DES) Hack.lu 2009 (AES) SSTIC 2012 (DES) Karroumi (AES) NSC 2013 (encoded AES) Attacked intermediate Round output S-Box output Round output S-Box and GF(256) inverse N/A Results Broken in 75 traces Broken in 16 traces Broken in 16 traces Broken in ~2000 traces Not broken

42 Introduction Key recovery attacks Conclusion

43 What does it mean? No detailed knowledge required Of WBC implementation Where the WBC is processed exactly No manipulation required Ø A secret random input/output encoding is the only barrier But: These random encodings do not work for many real world applications After instrumentation, push-button attack

44 Mitigating WBC leakage Side Channel Analysis attacks Must prevent statistical dependence between intermediates and key Typical countermeasures based on randomness difficult in white-box scenario Differential Fault Analysis attacks Double-checks on encoded data -> might be bypassed if detected! Carry redundant data along computation? Break fault models by propagating faults?

45 Mitigating WBC attacks Input Output Protected binary Business logic I/O WBC Obfuscation Control-flow obfuscation Data obfuscation Anti-analysis and anti-tamper Detect debugger/emulator Detect hooks and modifications Device binding Bind code to current device

46 Take it away Like many security tech, WBC mitigates attacks Key extraction effort we ve seen: days to few months WBC designers: Validate your assumptions(!) Always combine strong RE / cloning countermeasures WBC integrators: Ask for all countermeasures Ask for quantified attack resistance against all known attacks

47 Contact: Jasper van Woudenberg Riscure B.V. Frontier Building, Delftechpark XJ Delft The Netherlands Phone: Riscure North America 71 Stevenson Street, Suite 400 San Francisco, CA USA Phone:

48 References [1] [2] [3] [4] [5]