CRYPTCU ction Meeting November 6, 2016 ecurity of Block Ciphers Beyond Blackbox Model Takanori Isobe ONY Corporation
bout Me Researcher/Engineer in ony Corporation since 2008 s a Researcher Cryptanalysis of ymmetric-key Primitive First ttack on full GOT(@FE 2011) Plaintext Recovery ttack on RC4 (@FE 2013) and pritz (@FE 2016) and more Design of Block Cipher Lightweight Block Cipher: Piccolo (@CHE2011) Low Energy Block Cipher: Midori (@ICRYPT 2015) Whitebox-secure Block Cipher: PCE/PNbox (@CM CC 2015/ICRYPT 2016) s an Engineer Design/Evaluation of ecurity ystem of Our Product/Network Game(P Vita/P4), Camera, TV and more Write crypto code for products
Today s Talk ecurity beyond Blackbox Model s a engineer, we often face this problem Untrusted environments oftware Only olution dvanced ttack to ystem/device reverse engineering(cold boot attack), Malware, PT oftware vulnerability Bufferover flow, Heartbleed, Dirty Cow This talk shows our approaches to address these issues
Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Plaintext Ciphertext key E Encryption key E Decryption Ciphertext Plaintext Fundamental Primitives for ecurity => Deployed in almost all our products
Background ymmetric-key Cryptography DE, E, CMC, HMC, GCM Designed to be secure in the black-box model dversary has access to input and output Internal state: invisible key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext adversary
Crypto is Everywhere The black-box model fails to reflect the reality
Beyond Blackbox Cold boot attacks Read the remaining memory contents in the seconds to minutes after power-off oftware attacks Binary analysis, reverse engineering Ex. Overwrite binary (e.g., -box) to get the key Trojans, malware, or software vulnerability (e.g. heartbleed, buffer overflow) leak a part of secret key or internal state Unauthorized access to erver Hacking, cracking, Privilege escalation Internal states in memory often leaks in the real world
Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key 2. What is efficient countermeasures against leakage attack
Our Questions 1. How much memory leakage is enough to break system, e.g. extract secret key ->ecurity of E under Leakage @siacrypt2015 (Joint work with ndrey Bogdanov) 2. What is efficient countermeasures against leakage attack
Motivation How secure is E under memory Leakage Weakest Memory Leakage Model Only one bit leaks in each execution Location of leaked bit is unknown => Limited control of the platform P leakage 1-bit information at unknown location Key E- 128 C
Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
Two Leakage Models Fixed Location -Location of leaked bit is fix in each exe. Random Location -Location of leaked bit is random in each exe. => timing/space randomization (software protection) Key Position P Key P 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round C C
Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution
Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 P E Z i : leaked bit of i-th execution
Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Guess 32 bits of key Z 0, Z 1, Z 2,, Z Ns-1 Δ P E Guess 32 bits P E Z 0, Z 1, Z 2,, Z Ns - 1 Z i : leaked bit of i-th execution
Differential Bias ttack Regard leaked bits as a bit-stream Borrow techniques from the stream cipher domain Use a pair of plaintexts P and P having a special difference which results in the biased (differential) stream only if in correct key Δ P P Guess 32 bits of key E Guess 32 bits E Z 0, Z 1, Z 2,, Z Ns-1 Z 0, Z 1, Z 2,, Z Ns - 1 -Only if correct key Pr(Z i XOR Z j = 0) for all i and j is biased If Zi and Zj are random, Pr(Z i XOR Z j = 0) = 0.5 Z i : leaked bit of i-th execution
Truncated Differential over 3 Rounds Correct Key Wrong Key #1 #2 #3 #5 #7 #4 #6 P = #0 P $0 B R MC $1 $2 $3 : probability-one non-zero difference : probability-one zero difference : unknown difference exploit this gap! - Correct key : 21, 27 - Wrong key : 0, 12 Guess
Bitwise Bias from Truncated Differential Positive bitwise bias toward zero In Probability-one zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = 1 Negative bitwise bias toward zero In Probability-one non-zero truncated difference If Z i and Z j are a pair of the same position P(Z i Z j = 0) = ½ (1 2-7.99 ) (experimental value 1/2(1 2 7.92 )) Guess 32 bits Z 0, Z 1, Z 2,, Z Ns-1 P E Δ Guess 32 bits Pr(Z i XOR Z j = 0) = ½ (1-2 -16.02 ) strong bias for correct key P E Z 0, Z 1, Z 2,, Z Ns - 1
Evaluation ttack cost to obtain a full 128-bit key Time 2 33 Data 2 33 Key 1 round 2 round 3 round 4 round 5 round 6 round 7 round 8 round 9 round 10 round Even if in weakest leakage assumption (1 bit leakage at random unknown location), a practical attack is possible! P C
Extensions Noisy leakage etting Possible but noise make it time consuming work Known plaintext ttack Possible for differential bias attack Bytewise Leakage omewhat improves attack complexity Other granularities Not only state after round function, but also states after ubbytes, MixColumns, etc. can be used to mount differential bias attacks E-192/256 and some other ciphers ame attacks are directly applicable ee the paper
Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack
Question from Real World 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack -> Whitebox-ecure Block Cipher (CM CC 2015) Joint work with ndrey Bogdanov
Whitebox Cryptography Implementations of cryptographic algorithms that is secure in the whitebox model key oftware dversary
Whitebox Model dversary has full access to the crypto algorithm and full control over its execution environment Internal value : fully accessible (read/write) key Plaintext/Ciphertext Encryption/Decryption Ciphertext/Plaintext modify internal value and algorithm read any memory adversary
pplications DRM Protected contents (e.g. movie and music) are decrypted in user (adversary) device dversary may control over the platform on which the media player application is executed, and aims to extract a content key Cloud service provider
pplications HCE (Host card emulation) Technology that emulates a payment card on a mobile device using only software ecure element is not necessary ndroid 4.4 support Host card emulation (HCE) Google Wallet, VI, master card Issuer Cloud erver credential Payment Processor NFC Reader whitebox crypto
pplication Memory Leakage oftware attacks (Binary analysis) Trojans, malware oftware vulnerability (e.g. heartbleed, buffer overflow) Unauthorized access to server
History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense
History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense
History of Whitebox Cryptography cademic Level In 2002, Cloakware (Irdeto) published a paper presenting the first scheme of whitebox E However, all published whitebox E were practically broken by BGE attack Industrial Level WBC is widely deployed in many applications Details are kept secret Protected with additional countermeasures Differential Computational ttack @CHE 2016 The details of implementations are not required dditional countermeasures do not make sense No ecure Whitebox Cipher in the Public Domain
New whitebox-friendly Encryption cheme 128-bit block cipher called PCE @CM CC 2015 ecure in whitebox ecurity against key extraction reduce to key recovery problem of E in blackbox model pacehardness: Compression of the code is infeasible Mitigate code lifting attacks High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s Others PCE: 10-100 MB/s Not E functionality but the interfaces are the same as E PCE can be considered a mode of operation for E
PCE Block Cipher Target-Heavy Feistel Construction 128-bit plaintext is divided into n a -bit x words, p 0, p 1, p x-1 F function: n a bits to (128- n a ) In the white box, F function becomes a table p 0 p 1 p x-1 plaintext n a F 0 Table F 1 ciphertext
F-function (Whitebox Table) Table is created by E-128 constrains the plaintext: 128 bit to n a bits truncates the ciphertext : 128 bit to 128- n a bits x x Table Constant n a n - n a n a K k E F function (Table) n - n a r y n a disregard y
Confidential ecurity in WhiteBox WB attacker has access to input/output of the table Full ccess WB adversary
ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x Table x n a C n - n in n in F function (Table) K k n - n in E n in WB adversary = BB adversary y r y disregard
ecurity in WhiteBox WB attacker has access to input/output of the table What WB adversary can do is same as what BB adversary can do for E x n a F function (Table) ecurity Table of key xextraction in Whitebox C n - n reduce to Key in Recovery n in Problem of E-128 in Blackbox model K E k n - n in n in WB adversary = BB adversary y r y disregard
pace Hardness In the Whitebox implementation Key is expanded to large table few KB to GB 128 bit large key pace hardness Computationally infeasible Difficult to find any compact representation (incompressibility) Table decomposition is as hard as E key recovery
Whitebox Cryptography Mitigate Code Lifting ttack Requires a large space to be isolated from execution environments to copy functionality time-consuming work if network is narrow Easy to detect copying by monitoring traffic Discourages the adversary from illegally distributing the code due to its large size execution environment hard to distribute T hard to get dversary T/4 ex. PCE-16, T/4 = 230 MB
ummary pace-hard block cipher: PCE ecurity against key extraction/table decomposition White-box security is based on black-box security E key-recovery problem in the blackbox model ecurity against code lifting: space hardness Infeasible to find a compact implementation High Performance Much faster than whitebox E Whitebox E (published by Cloakware): 0.4 MB/s PCE: 10-100 MB/s More efficient WB block cipher: PNbox @C16 6.5-20 times Faster than PCE
Conclusion 1. How much information of memory is necessary to extract secret key Only 1-bit leakage is enough to extract a key (E) 2. What is efficient countermeasures against leakage attack PCE is a first whitebox-friendly cipher
Thank you for your attention