White-Box Cryptography State of the Art. Paul Gorissen

Similar documents
Differential Computation Analysis Hiding your White-Box Designs is Not Enough. Joppe W. Bos

White-Box Cryptography

Differential Computation Analysis Hiding your White-Box Designs is Not Enough

Differential Computation Analysis Hiding your White-Box Designs is Not Enough

Unboxing the whitebox. Jasper van CTO Riscure North America ICMC 16

Cryptography Basics. IT443 Network Security Administration Slides courtesy of Bo Sheng

Cryptographic Concepts

PROTECTING CONVERSATIONS

Part VI. Public-key cryptography

Security. Communication security. System Security

9/30/2016. Cryptography Basics. Outline. Encryption/Decryption. Cryptanalysis. Caesar Cipher. Mono-Alphabetic Ciphers

CSCI 454/554 Computer and Network Security. Topic 2. Introduction to Cryptography

CSE 127: Computer Security Cryptography. Kirill Levchenko

Outline. Cryptography. Encryption/Decryption. Basic Concepts and Definitions. Cryptography vs. Steganography. Cryptography: the art of secret writing

Security: Cryptography

Encryption. INST 346, Section 0201 April 3, 2018

Distributed Systems. 26. Cryptographic Systems: An Introduction. Paul Krzyzanowski. Rutgers University. Fall 2015

Computer Security: Principles and Practice

Some Stuff About Crypto

Computer Security. 08. Cryptography Part II. Paul Krzyzanowski. Rutgers University. Spring 2018

Basic Concepts and Definitions. CSC/ECE 574 Computer and Network Security. Outline

CRYPTOLOGY KEY MANAGEMENT CRYPTOGRAPHY CRYPTANALYSIS. Cryptanalytic. Brute-Force. Ciphertext-only Known-plaintext Chosen-plaintext Chosen-ciphertext

18-642: Cryptography 11/15/ Philip Koopman

2.1 Basic Cryptography Concepts

CSCE 813 Internet Security Symmetric Cryptography

A Tutorial on White-box AES

2/7/2013. CS 472 Network and System Security. Mohammad Almalag Lecture 2 January 22, Introduction To Cryptography

CSC/ECE 774 Advanced Network Security

Secure Multiparty Computation

Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls

L13. Reviews. Rocky K. C. Chang, April 10, 2015

Keynote: White-Box Cryptography

Computer Security 3/23/18

Public-key encipherment concept

CSC 774 Network Security

Public-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7

Encrypted Data Deduplication in Cloud Storage

RSA (material drawn from Avi Kak Lecture 12, Lecture Notes on "Computer and Network Security" Used in asymmetric crypto.

1-7 Attacks on Cryptosystems

Cryptographic Systems

Cryptography Introduction to Computer Security. Chapter 8

Cryptography III. Public-Key Cryptography Digital Signatures. 2/1/18 Cryptography III

Cryptography MIS

Grenzen der Kryptographie

Classical Cryptography. Thierry Sans

David Wetherall, with some slides from Radia Perlman s security lectures.

Computer Security. 08r. Pre-exam 2 Last-minute Review Cryptography. Paul Krzyzanowski. Rutgers University. Spring 2018

Journal of Global Research in Computer Science A UNIFIED BLOCK AND STREAM CIPHER BASED FILE ENCRYPTION

CPSC 467b: Cryptography and Computer Security

Authentication Part IV NOTE: Part IV includes all of Part III!

INTRODUCTION TO CLOAKWARE/TRS TECHNOLOGY

EEC-484/584 Computer Networks

A different kind of Crypto

A Cautionary Note on Weak Implementations of Block Ciphers

Security+ Guide to Network Security Fundamentals, Third Edition. Chapter 11 Basic Cryptography

What did we talk about last time? Public key cryptography A little number theory

PGP: An Algorithmic Overview

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Encryption and Forensics/Data Hiding

Introduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell

Encryption Providing Perfect Secrecy COPYRIGHT 2001 NON-ELEPHANT ENCRYPTION SYSTEMS INC.

Cryptography and Network Security. Sixth Edition by William Stallings

Sankalchand Patel College of Engineering, Visnagar Department of Computer Engineering & Information Technology. Question Bank

Vertex Magic Total Labeling of Complete Graphs and their application for Public-Key Cryptosystem

A New Symmetric Key Algorithm for Modern Cryptography Rupesh Kumar 1 Sanjay Patel 2 Purushottam Patel 3 Rakesh Patel 4

Side-Channel Attacks on RSA with CRT. Weakness of RSA Alexander Kozak Jared Vanderbeck

Introduction to Cryptography. Vasil Slavov William Jewell College

Hiding Information in Software

CSC 580 Cryptography and Computer Security

ICT 6541 Applied Cryptography. Hossen Asiful Mustafa

Public-Key Cryptography

CSC 474/574 Information Systems Security

Ref:

Cryptography Symmetric Cryptography Asymmetric Cryptography Internet Communication. Telling Secrets. Secret Writing Through the Ages.

Public Key Cryptography and RSA

A White-Box DES Implementation for DRM Applications

Outline. Data Encryption Standard. Symmetric-Key Algorithms. Lecture 4

Number Theory and RSA Public-Key Encryption

Chapter 3 Traditional Symmetric-Key Ciphers 3.1

Cryptography & Key Exchange Protocols. Faculty of Computer Science & Engineering HCMC University of Technology

External Encodings Do not Prevent Transient Fault Analysis

Introduction to Network Security Missouri S&T University CPE 5420 Data Encryption Standard

18-642: Cryptography

Side channel attack: Power Analysis. Chujiao Ma, Z. Jerry Shi CSE, University of Connecticut

CPSC 467: Cryptography and Computer Security

Lecture 6: Symmetric Cryptography. CS 5430 February 21, 2018

CS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong

Message authentication. Why message authentication. Authentication primitives. and secure hashing. To prevent against:

Applying TVLA to Public Key Cryptographic Algorithms. Michael Tunstall Gilbert Goodwill

Cryptanalysis. Ed Crowley

Computers and Security

Study on data encryption technology in network information security. Jianliang Meng, Tao Wu a

Summary on Crypto Primitives and Protocols

Syrvey on block ciphers

Cryptography and Network Security 2. Symmetric Ciphers. Lectured by Nguyễn Đức Thái

Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010

Using Cryptography CMSC 414. October 16, 2017

Public-key Cryptography: Theory and Practice

Protocols II. Computer Security Lecture 12. David Aspinall. 17th February School of Informatics University of Edinburgh

Cryptography ThreeB. Ed Crowley. Fall 08

Transcription:

White-Box Cryptography State of the Art Paul Gorissen paul.gorissen@philips.com

Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion Philips Research 20 October 2008 2

Introduction Remote server Alice content firmware services... Bob One generally encrypts data to protect it from malicious use. To get the key, the device will be attacked instead of the link. Problem to be solved: How to protect a key on a device. Solution depends on attack model: to how much information does an attacker have access. Philips Research 20 October 2008 3

Black-box attack model Bob Computation cannot be observed (device is a black box) Only the communication link is observable Assumptions may be too strong if communicating parties are not trusted. Philips Research 20 October 2008 4

Grey-box attack model Bob Performance characteristics of computation can be observed timing information power consumption sound Problem: new types of side-channel attacks are found and published every few months. Philips Research 20 October 2008 5

White-box attack model Computation can be fully observed Bob full access to and full control over the device Observation: if we have a secure implementation in this model, we are automatically secure against all possible side-channel attacks. Philips Research 20 October 2008 6

White-box cryptography Prevent an attacker from extracting the key from a software program that implements a cryptographic algorithm. The key cannot be extracted by analyzing the code The key cannot be extracted by analyzing the intermediate results during execution. while the attacker is assumed to have full access to the software implementation and full control over the execution environment (white-box attack model). Philips Research 20 October 2008 7

Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion Philips Research 20 October 2008 8

White-Box Cryptography How it is done Input T1 T2 T3 f 1 Decryption f 2 f 3 routine f 1-1 f 2-1 T4 f 4 + f 4-1 f 3-1 T5 Output A recipe for a white-box implementation of a symmetric block cipher Convert the cipher to a lookup table implementation Key and algorithm are merged in lookup tables Obscure the network of tables Obfuscate inputs and outputs of each table Philips Research 20 October 2008 9

White-Box Cryptography White-Box Key Usually white-boxing is achieved by hiding the secret key ( classic key ) in a larger bit-string ( white-box key ) = Symmetric ciphers: key is hidden in implementation of the algorithm Asymmetric ciphers: key is replaced by a larger, equivalent key Philips Research 20 October 2008 10

Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion Philips Research 20 October 2008 11

Interesting property 1: side channel attacks White box implementations can increase the resistance against side-channel attacks (differential power analysis, timing analysis) if the execution is sufficiently randomized. White-box implementations offer many opportunities for randomizing the execution White-box implementations can increase the resistance against the exploitation of software bugs and fault injection attacks if the white-box key is much larger than the classic key Typically, one bug or fault will recover only a small part of the key, and it becomes increasingly difficult to find enough bugs to exploit, or different faults to inject, when the size of the key increases. Philips Research 20 October 2008 12

Interesting property 2: asymmetry When implementing symmetric ciphers in a traditional way the difference between encryption and decryption is in the algorithm Encryption and decryption key are identical If you know the encryption key, you can also decrypt (and vice versa) In white-box implementations the encryption key is different from the decryption key A system that performs encryption cannot be used for decryption (or vice versa) Philips Research 20 October 2008 13

Interesting property 3: information binding Any arbitrary string of bits can be included in the white-box key string length can be thousands of bits (size has practical limits, no theoretical limit) a modification of the string will destroy the white-box implementation Examples of an included bit-string: White-box key can be locked to hardware By including hardware characteristics in the white-box key Visible string can be included in the white-box key e.g. (C) Royal Philips Electronics, or the name of the customer A43RS (C)Philips 96GDB => A43RS (C)Pirates 96GDB A43RS (C)Philips 96GDB => GF45DJ326254UT53BVSA20 Hidden (forensic) trace-mark can be put in the white-box key Makes it possible to find the source of a leak ( traitor tracing ) Philips Research 20 October 2008 14

Forensic key watermarking All white-box implementations have the same cryptographic functionality. Include a user identifier in the white-box implementation. Each user gets a traceable white-box implementation. Philips Research 20 October 2008 15

Node locking Include a hardware identifier in the white-box implementation. Give a user a white-box implementation in which the hardware identifier is omitted. The white-box implementation only works on a system with the correct hardware identifier. Philips Research 20 October 2008 16

Node locking Decryption routine Encrypted movie Hardware identifier set-top box decrypted movie White-box implementation Encrypted movie set-top box decrypted movie Philips Research 20 October 2008 17

Software tamper resistance code lookup tables Include a binary software image in the whitebox implementation. Software gets a dual interpretation. Changing the code changing the white-box implementation (key) cryptographic operation disabled Philips Research 20 October 2008 18

Software tamper resistance License verification Decryption routine Encrypted movie set-top box decrypted movie Encrypted movie License verification White-box implementation set-top box decrypted movie Philips Research 20 October 2008 19

Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion Philips Research 20 October 2008 20

asymmetric ciphers State of the art (1) known white-box methods We do not know any publication describing white-box implementations of RSA or ECC Several companies offer white-box implementations of RSA and ECC: Cloakware http://www.cloakware.com/ Arxan http://www.arxan.com Syncrosoft http://www.syncrosoft.com Philips Research 20 October 2008 21

symmetric ciphers State of the art (2) known white-box methods White-box implementations for DES [1] and AES [2] have been published. Several companies offer white-box implementations of AES and DES Cloakware http://www.cloakware.com/ Syncrosoft http://www.syncrosoft.com 1) Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: A White-Box DES Implementation for DRM Applications. Proceedings of the 2nd ACM Workshop on Digital Rights Management, 1-15, 2002. 2) Chow, S., Eisen, P., Johnson, H., van Oorschot, P.C.: White-Box Cryptography and an AES Implementation. Proceedings of the 9th Annual Workshop on Selected Areas in Cryptography, 250-270, 2002. Philips Research 20 October 2008 22

symmetric ciphers State of the art (3) - attacks on white-box crypto The published white-box implementations of AES and DES have been broken The classic key can be found in 2 30 time for AES [1] and in 2 14 for DES [2] Philips has shown that standard methods of symmetric cipher construction have fundamental weaknesses for a strong whitebox implementation [3] AES and DES are not suitable for applications that need secure white-box implementations New ciphers, or new white-box techniques, are needed to allow secure white-box implementations 1) Billet, O., Gilbert, H., Ech-Chatbi, C.: Cryptanalysis of a White-Box AES Implementation. Proceedings of the 11th Annual Workshop on Selected Areas in Cryptography, 227-- 240, 2004. 2) Wyseur, B., Michiels, W., Gorissen, P., Preneel, B.: Cryptanalysis of White-Box DES Implementations with Arbitrary External Encodings. Proceedings of the 14th Annual Workshop on Selected Areas in Cryptography, 264--277, 2007. 3) Michiels, W., Gorissen, P., and Hollmann, H.D.L.: Cryptanalysis of a Generic Class of White-Box Implementations, Proceedings of the 15th Annual Workshop on Selected Areas in Cryptography (SAC 2008), 392-406, 2008 Philips Research 20 October 2008 23

State of the art (4) - beyond parlor tricks and obfuscation symmetric ciphers Is it impossible to achieve real security with white-box crypto? It is quite clear that AES and DES cannot be securely whiteboxed It is possible to construct symmetric ciphers that have the right characteristics to resist the known attacks on white-box methods: Enlarge the key-dependent operations of the cipher by making the diffusion matrix and/or S-box variable and/or key-dependent Use a diffusion operator other than matrix multiplication MDS matrices, for example, should be avoided. Philips Research 20 October 2008 24

Outline Introduction Attack models White-box cryptography How it is done Interesting properties State of the art Conclusion Philips Research 20 October 2008 25

Conclusions White-box implementations can have useful properties, but beware different white-box methods have different security properties Philips Research 20 October 2008 26

RSA Decryption asymmetric ciphers RSA key d n Ciphertext Plaintext Philips Research 20 October 2008 28

White-box RSA Philips method (1) asymmetric ciphers Arbitrary string S RSA key d String S f(s,d) White-Box RSA key d n Ciphertext Plaintext Philips Research 20 October 2008 29

White-box RSA: Philips method (2) asymmetric ciphers RSA is a matter of exponents: Choose prime p and q and create n = p*q Choose public key e Create private key d Encrypt: ciphertext = message e mod n Decrypt: message = ciphertext d mod n Expand the key d by creating an equivalent larger key New key d = d + b * φ φ = (p-1)*(q-1) is the Euler function By a proper choice of b, we can include any bit string S in the binary representation of d. Philips Research 20 October 2008 30

White-box RSA: Summary (1) asymmetric ciphers RSA key size can be enlarged from k bits (typically 1024-2048 bits) to an arbitrary number of bits Linear processing speed reduction Bit length = 10*1024; new speed = old speed/10 Arbitrary bit strings can be included Maximum size of included bit strings will be on the order of thousands of bits due to practical performance degradation limits Philips Research 20 October 2008 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback