Security of Block Ciphers Beyond Blackbox Model

Similar documents
Keynote: White-Box Cryptography

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

From obfuscation to white-box crypto: relaxation and security notions

Full Plaintext Recovery Attack on Broadcast RC4

CSCE 813 Internet Security Symmetric Cryptography

Midgame Attacks. (and their consequences) Donghoon Chang 1 and Moti Yung 2. IIIT-Delhi, India. Google Inc. & Columbia U., USA

White-Box Cryptography State of the Art. Paul Gorissen

Breaking Korea Transit Card with Side-Channel Attack

Weak Keys of the Full MISTY1 Block Cipher for Related-Key Cryptanalysis

Lecture Nov. 21 st 2006 Dan Wendlandt ISP D ISP B ISP C ISP A. Bob. Alice. Denial-of-Service. Password Cracking. Traffic.

Once upon a time... A first-order chosen-plaintext DPA attack on the third round of DES

Lecture 3: Symmetric Key Encryption

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Differential Computation Analysis Hiding your White-Box Designs is Not Enough

White-Box Cryptography

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

CSC 474/574 Information Systems Security

Linear Cryptanalysis of FEAL 8X Winning the FEAL 25 Years Challenge

Differential Computation Analysis Hiding your White-Box Designs is Not Enough

Lecture IV : Cryptography, Fundamentals

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

Security against Timing Analysis Attack

Lecture 4: Symmetric Key Encryption

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

Information Security CS526

Security. Communication security. System Security

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Wenling Wu, Lei Zhang

WhoamI. Attacking WBC Implementations No con Name 2017

Cryptanalysis. Andreas Klappenecker Texas A&M University

ENGI 8868/9877 Computer and Communications Security III. BLOCK CIPHERS. Symmetric Key Cryptography. insecure channel

SIDE CHANNEL ATTACKS AGAINST IOS CRYPTO LIBRARIES AND MORE DR. NAJWA AARAJ HACK IN THE BOX 13 APRIL 2017

CSCI 454/554 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

Homework 2. Out: 09/23/16 Due: 09/30/16 11:59pm UNIVERSITY OF MARYLAND DEPARTMENT OF ELECTRICAL AND COMPUTER ENGINEERING

Jordan University of Science and Technology

3 Symmetric Key Cryptography 3.1 Block Ciphers Symmetric key strength analysis Electronic Code Book Mode (ECB) Cipher Block Chaining Mode (CBC) Some

Fundamentals of Cryptography

Secret Key Algorithms (DES) Foundations of Cryptography - Secret Key pp. 1 / 34

CSC574: Computer & Network Security

An Improved Truncated Differential Cryptanalysis of KLEIN

The Davies-Murphy Power Attack. Sébastien Kunz-Jacques Frédéric Muller Frédéric Valette DCSSI Crypto Lab

COMP4109 : Applied Cryptography

Computer and Data Security. Lecture 3 Block cipher and DES

Course Business. Midterm is on March 1. Final Exam is Monday, May 1 (7 PM) Allowed to bring one index card (double sided) Location: Right here

Processing with Block Ciphers

Cryptography and Network Security Block Ciphers + DES. Lectured by Nguyễn Đức Thái

CSC/ECE 574 Computer and Network Security. Processing with Block Ciphers. Issues for Block Chaining Modes

Block Ciphers that are Easier to Mask How Far Can we Go?

Cryptography [Symmetric Encryption]

Ming Ming Wong Jawad Haj-Yahya Anupam Chattopadhyay

CIS 6930/4930 Computer and Network Security. Topic 3.2 Secret Key Cryptography Modes of Operation

page 1 Introduction to Cryptography Benny Pinkas Lecture 3 November 18, 2008 Introduction to Cryptography, Benny Pinkas

Symmetric Key Algorithms. Definition. A symmetric key algorithm is an encryption algorithm where the same key is used for encrypting and decrypting.

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

CIS 6930/4930 Computer and Network Security. Topic 3.1 Secret Key Cryptography (Cont d)

CPSC 467b: Cryptography and Computer Security

Winter 2011 Josh Benaloh Brian LaMacchia

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

Cryptography Functions

INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY

Narrow-Bicliques: Cryptanalysis of Full IDEA. Gaetan Leurent, University of Luxembourg Christian Rechberger, DTU MAT

PARAMETRIC TROJANS FOR FAULT-BASED ATTACKS ON CRYPTOGRAPHIC HARDWARE

Secret Key Algorithms (DES)

New Impossible Differential Search Tool from Design and Cryptanalysis Aspects -- Revealing Structural Properties of Several Ciphers

Block Ciphers. Secure Software Systems

The Rectangle Attack

1-7 Attacks on Cryptosystems

CSCI 454/554 Computer and Network Security. Topic 3.1 Secret Key Cryptography Algorithms

Information Security CS526

ECRYPT II Workshop on Physical Attacks November 27 th, Graz, Austria. Stefan Mangard.

Cryptography and Network Security. Sixth Edition by William Stallings

Encryption and Forensics/Data Hiding

CSC 474/574 Information Systems Security

AIT 682: Network and Systems Security

CIS 4360 Introduction to Computer Security Fall WITH ANSWERS in bold. First Midterm

Differential Computation Analysis Hiding your White-Box Designs is Not Enough. Joppe W. Bos

Differential Cryptanalysis

A Weight Based Attack on the CIKS-1 Block Cipher

External Encodings Do not Prevent Transient Fault Analysis

Recent Meet-in-the-Middle Attacks on Block Ciphers

Block Ciphers Introduction

Computer Security 3/23/18

Symmetric key cryptography

EEC-484/584 Computer Networks

Cryptanalysis. Ed Crowley

Attacks on Advanced Encryption Standard: Results and Perspectives

Related-key Attacks on Triple-DES and DESX Variants

Key Separation in Twofish

Enhanced Cryptanalysis of Substitution Cipher Chaining mode (SCC-128)

Cryptography ThreeB. Ed Crowley. Fall 08

CSE 3461/5461: Introduction to Computer Networking and Internet Technologies. Network Security. Presentation L

Comp527 status items. Crypto Protocols, part 2 Crypto primitives. Bart Preneel July Install the smart card software. Today

White-box attack resistant cryptography

PRNGs & DES. Luke Anderson. 16 th March University Of Sydney.

Practical Aspects of Modern Cryptography

RECTIFIED DIFFERENTIAL CRYPTANALYSIS OF 16 ROUND PRESENT

P2_L6 Symmetric Encryption Page 1

A Brief Outlook at Block Ciphers

Transcription:

CRYPTCU ction Meeting November 6, 2016 ecurity of Block Ciphers Beyond Blackbox Model Takanori Isobe ONY Corporation

bout Me Researcher/Engineer in ony Corporation since 2008 s a Researcher Cryptanalysis of ymmetric-key Primitive First ttack on full GOT(@FE 2011) Plaintext Recovery ttack on RC4 (@FE 2013) and pritz (@FE 2016) and more Design of Block Cipher Lightweight Block Cipher: Piccolo (@CHE2011) Low Energy Block Cipher: Midori (@ICRYPT 2015) Whitebox-secure Block Cipher: PCE/PNbox (@CM CC 2015/ICRYPT 2016) s an Engineer Design/Evaluation of ecurity ystem of Our Product/Network Game(P Vita/P4), Camera, TV and more Write crypto code for products

Today s Talk ecurity beyond Blackbox Model s a engineer, we often face this problem Untrusted environments oftware Only olution dvanced ttack to ystem/device reverse engineering(cold boot attack), Malware, PT oftware vulnerability Bufferover flow, Heartbleed, Dirty Cow This talk shows our approaches to address these issues

Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Plaintext Ciphertext key E Encryption key E Decryption Ciphertext Plaintext Fundamental Primitives for ecurity => Deployed in almost all our products

Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Designed to be secure in the black-box model dversary has access to input and output Internal state: invisible key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext adversary

Crypto is Everywhere The black-box model fails to reflect the reality

Beyond Blackbox Cold boot attacks Read the remaining memory contents in the seconds to minutes after power-off oftware attacks Binary analysis, reverse engineering Ex. Overwrite binary (e.g., -box) to get the key Trojans, malware, or software vulnerability (e.g. heartbleed, buffer overflow) leak a part of secret key or internal state Unauthorized access to erver Hacking, cracking, Privilege escalation Internal states in memory often leaks in the real world

Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key 2. What is efficient countermeasures against leakage attack

Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key ->ecurity of E under Leakage @siacrypt2015 (Joint work with ndrey Bogdanov) 2. What is efficient countermeasures against leakage attack

Motivation How secure is E under memory Leakage Weakest Memory Leakage Model Only one bit leaks in each execution Location of leaked bit is unknown => Limited control of the platform P leakage 1-bit information at unknown location Key E- 128 C

Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C

Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C

Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C

Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution

Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution

Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 Δ P E Guess 32 bits P E Z 0, Z 1, Z 2,, Z Ns - 1 Z i : leaked bit of i-th execution

Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Δ P P Guess 32 bits of key E Guess 32 bits E Z 0, Z 1, Z 2,, Z Ns-1 Z 0, Z 1, Z 2,, Z Ns - 1 -Only if correct key Pr(Z i XOR Z j = 0) for all i and j is biased If Zi and Zj are random, Pr(Z i XOR Z j = 0) = 0.5 Z i : leaked bit of i-th execution

Truncated Differential over 3 Rounds Correct Key Wrong Key #1 #2 #3 #5 #7 #4 #6 P = #0 P $0 B R MC $1 $2 $3 : probability-one non-zero difference : probability-one zero difference : unknown difference exploit this gap! - Correct key : 21, 27 - Wrong key : 0, 12 Guess

Bitwise Bias from Truncated Differential Positive bitwise bias toward zero In Probability-one zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = 1 Negative bitwise bias toward zero In Probability-one non-zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = ½ (1 2-7.99 ) (experimental value 1/2(1 2 7.92 )) Guess 32 bits Z 0, Z 1, Z 2,, Z Ns-1 P E Δ Guess 32 bits Pr(Z i XOR Z j = 0) = ½ (1-2 -16.02 ) strong bias for correct key P E Z 0, Z 1, Z 2,, Z Ns - 1

Evaluation ttack cost to obtain a full 128-bit key Time 2 33 Data 2 33 Key 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round Even if in weakest leakage assumption (1 bit leakage at random unknown location), a practical attack is possible! P C

Extensions Noisy leakage etting Possible but noise make it time consuming work Known plaintext ttack Possible for differential bias attack Bytewise Leakage omewhat improves attack complexity Other granularities Not only state after round function, but also states after ubbytes, MixColumns, etc. can be used to mount differential bias attacks E-192/256 and some other ciphers ame attacks are directly applicable ee the paper

Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack

Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack -> Whitebox-ecure Block Cipher (CM CC 2015) Joint work with ndrey Bogdanov

Whitebox Cryptography Implementations of cryptographic algorithms that is secure in the whitebox model key oftware dversary

Whitebox Model dversary has full access to the crypto algorithm and full control over its execution environment Internal value : fully accessible (read/write) key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext modify internal value and algorithm read any memory adversary

pplications DRM Protected contents (e.g. movie and music) are decrypted in user (adversary) device dversary may control over the platform on which the media player application is executed, and aims to extract a content key Cloud service provider

pplications HCE (Host card emulation) Technology that emulates a payment card on a mobile device using only software ecure element is not necessary ndroid 4.4 support Host card emulation (HCE) Google Wallet, VI, master card Issuer Cloud erver credential Payment Processor NFC Reader whitebox crypto

pplication Memory Leakage oftware attacks (Binary analysis) Trojans, malware oftware vulnerability (e.g. heartbleed, buffer overflow) Unauthorized access to server

History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense

History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense

History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense No ecure Whitebox Cipher in the Public Domain

New whitebox-friendly Encryption cheme 128-bit block cipher called PCE @CM CC 2015 ecure in whitebox ecurity against key extraction reduce to key recovery problem of E in blackbox model pacehardness: Compression of the code is infeasible Mitigate code lifting attacks High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s Others PCE: 10-100 MB/s Not E functionality but the interfaces are the same as E PCE can be considered a mode of operation for E

PCE Block Cipher Target-Heavy Feistel Construction 128-bit plaintext is divided into n a -bit x words, p 0, p 1, p x-1 F function: n a bits to (128- n a ) In the white box, F function becomes a table p 0 p 1 p x-1 plaintext n a F 0 Table F 1 ciphertext

F-function (Whitebox Table) Table is created by E-128 constrains the plaintext: 128 bit to n a bits truncates the ciphertext : 128 bit to 128- n a bits x x Table Constant n a n - n a n a K k E F function (Table) n - n a r y n a disregard y

Confidential ecurity in WhiteBox WB attacker has access to input/output of the table Full ccess WB adversary

ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x Table x n a C n - n in n in F function (Table) K k n - n in E n in WB adversary = BB adversary y r y disregard

ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x n a F function (Table) ecurity Table of key xextraction in Whitebox C n - n reduce to Key in Recovery n in Problem of E-128 in Blackbox model K E k n - n in n in WB adversary = BB adversary y r y disregard

pace Hardness In the Whitebox implementation Key is expanded to large table few KB to GB 128 bit large key pace hardness Computationally infeasible Difficult to find any compact representation (incompressibility) Table decomposition is as hard as E key recovery

Whitebox Cryptography Mitigate Code Lifting ttack Requires a large space to be isolated from execution environments to copy functionality time-consuming work if network is narrow Easy to detect copying by monitoring traffic Discourages the adversary from illegally distributing the code due to its large size execution environment hard to distribute T hard to get dversary T/4 ex. PCE-16, T/4 = 230 MB

ummary pace-hard block cipher: PCE ecurity against key extraction/table decomposition White-box security is based on black-box security E key-recovery problem in the blackbox model ecurity against code lifting: space hardness Infeasible to find a compact implementation High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s PCE: 10-100 MB/s More efficient WB block cipher: PNbox @C16 6.5-20 times Faster than PCE

Conclusion 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack PCE is a first whitebox-friendly cipher

Thank you for your attention

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback