sullivan white boxcrypto-baythreat-2013
Post on 20-Jun-2015
162 Views
Preview:
DESCRIPTION
TRANSCRIPT
White-box CryptographyWhat do you do when they’re in your server room?
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
My Background• Systems Engineering at CloudFlare
• Cryptography at Apple
• Threat analysis at Symantec
• M.Sc. in Cryptography
• Undergraduate Pure Mathematics
2
What this talk is about• Introduction to white-box cryptography
• Why we need this now more than ever
• Key concepts for implementations
• Steps for the future — with an announcement
3
Let’s talk about physical access• If an attacker has physical access, they have everything, right?
• Cold Boot, Evil Maid, Jailbreak, etc.
• It only takes time
!
• Solution: Lock it up!
4
Let’s talk about physical access• What about servers?
• Where are modern servers kept?
• Your own data center?
• A “physically secure” co-location facility?
• On a virtual machine in the cloud?
• On a globally-distributed CDN?
• Under which national jurisdiction?
5
Server Breaches Happen• How long does it take to get your secrets?
• Reverse engineering skill of attacker
• Diminishing cost to attacker as skills and tools accumulate
!
• Wouldn’t it be great if there was a computational burden placed on the attacker for every new secret?
• You could rotate your secrets on a fixed schedule
6
Standard Crypto Model (Black-box)
7
adversary icons: Sam Small
Alice Bob
Eve
Side-channel Attacks (Grey-box)
8
adversary icons: Sam Small
Alice Bob
Eve
White-box threat model
9
adversary icons: Sam Small
Alice Bob
Eve
White-box threat model
10
adversary icons: Sam Small
Aleve Bob
White-box Cryptography• Cryptographic implementations that hide the key from everyone
• Attackers on the wire
• Attackers outside the house
• Attackers inside the house (evil maids included)
11
White-box cryptography• Protection against key extraction in the strongest possible threat model
• Secures keys, not data
• White-box attackers no better off than black-box attackers
12
For Example• Digital Rights Management
• The key protecting streams from Spotify, Netflix, etc.
• Decryption and consumption of content happens in a controlled way
• The attacker is the consumer “Aleve”
13
White-box cryptography• History
• Invented in 2002 by Chow et al.
• Resurgence in academic attention in last two years — breaks, new constructions
• Work in progress
• No perfect white-boxes, only relatively strong ones
• General function obfuscator is not possible (Barak, 2001)
• Ciphers are not proven to be impossible to obfuscate
14
What does it get you?• Attackers cannot transform the key into a known form
• Algorithm or code has to be lifted or leveraged
• Prevents BORE (break once run everywhere) attacks
• Can’t plug into standard cryptography libraries
• Nation-state attackers use specialized hardware
• Traitor tracing
• You can rotate keys on a schedule since cost to break is bounded
15
Which algorithms?• Symmetric Key Cryptography
• DES
• AES
!
• Public Key Cryptography?
• RSA (maybe?)
• ECC (maybe?)
16
Example Implementation• 128-bit AES
• 16 byte key, 16 byte message block
• What about replacing implementation with a lookup table?
• Map from input to output indexed by order
• Lookup table has minimal information about structure of algorithm — black box
• 2^128 possible inputs of size 128bit
• Storage of 5 x 10^27 terabytes — too much
17
Example Implementation• AES Internals
• SubBytes — Byte-wise substitution
• ShiftRows — Permutation of bytes
• MixColumns — Linear combination of bytes
• AddRoundKeys — XOR a piece of the key
18
AES
19
Example Implementation• AddRoundKey, SubBytes
• Can be merged into one operation — byte-wise lookup table called a T-box
• MixColumns
• Linear combination — byte-wise lookup table for constants
• Nibble-wise lookup tables for linear factors
• Lots of lookup tables can be combined
20
Internal Encoding• Composition of functions
!
!
!
!
!
!
• Chaining random lookup tables
21
White-box compiler• Inputs
• White box description
• Random seed
• Key value
• Output
• Implementation of encryption/decryption for given key
22
4663900
Costs• Key size — Pre-scheduling causes key inflation
• Memory cost — Large lookup tables
• Performance cost — 5-10x in some cases
• Engineering cost — Integration, other anti-tampering techniques
23
In the industry• Mostly licensed for digital rights management — $$$
• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)
!
• No commercial grade open source implementation
• An affordable solution is needed
24
Introducing Open WhiteBox
25
Introducing Open WhiteBox• Group of individuals working to make white box cryptography accessible to the public
• Open source white box compiler (using LLVM)
• Working towards implementation of best current academic proposals
• Initial focus on server-side applications
!
• Participate in the conversation on Twitter @OpenWhiteBox
26
Questions?
27
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
@OpenWhiteBox
top related