Download - Sullivan white boxcrypto-baythreat-2013
![Page 1: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/1.jpg)
White-box CryptographyWhat do you do when they’re in your server room?
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
![Page 2: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/2.jpg)
My Background• Systems Engineering at CloudFlare
• Cryptography at Apple
• Threat analysis at Symantec
• M.Sc. in Cryptography
• Undergraduate Pure Mathematics
2
![Page 3: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/3.jpg)
What this talk is about• Introduction to white-box cryptography
• Why we need this now more than ever
• Key concepts for implementations
• Steps for the future — with an announcement
3
![Page 4: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/4.jpg)
Let’s talk about physical access• If an attacker has physical access, they have everything, right?
• Cold Boot, Evil Maid, Jailbreak, etc.
• It only takes time
!
• Solution: Lock it up!
4
![Page 5: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/5.jpg)
Let’s talk about physical access• What about servers?
• Where are modern servers kept?
• Your own data center?
• A “physically secure” co-location facility?
• On a virtual machine in the cloud?
• On a globally-distributed CDN?
• Under which national jurisdiction?
5
![Page 6: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/6.jpg)
Server Breaches Happen• How long does it take to get your secrets?
• Reverse engineering skill of attacker
• Diminishing cost to attacker as skills and tools accumulate
!
• Wouldn’t it be great if there was a computational burden placed on the attacker for every new secret?
• You could rotate your secrets on a fixed schedule
6
![Page 7: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/7.jpg)
Standard Crypto Model (Black-box)
7
adversary icons: Sam Small
Alice Bob
Eve
![Page 8: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/8.jpg)
Side-channel Attacks (Grey-box)
8
adversary icons: Sam Small
Alice Bob
Eve
![Page 9: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/9.jpg)
White-box threat model
9
adversary icons: Sam Small
Alice Bob
Eve
![Page 10: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/10.jpg)
White-box threat model
10
adversary icons: Sam Small
Aleve Bob
![Page 11: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/11.jpg)
White-box Cryptography• Cryptographic implementations that hide the key from everyone
• Attackers on the wire
• Attackers outside the house
• Attackers inside the house (evil maids included)
11
![Page 12: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/12.jpg)
White-box cryptography• Protection against key extraction in the strongest possible threat model
• Secures keys, not data
• White-box attackers no better off than black-box attackers
12
![Page 13: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/13.jpg)
For Example• Digital Rights Management
• The key protecting streams from Spotify, Netflix, etc.
• Decryption and consumption of content happens in a controlled way
• The attacker is the consumer “Aleve”
13
![Page 14: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/14.jpg)
White-box cryptography• History
• Invented in 2002 by Chow et al.
• Resurgence in academic attention in last two years — breaks, new constructions
• Work in progress
• No perfect white-boxes, only relatively strong ones
• General function obfuscator is not possible (Barak, 2001)
• Ciphers are not proven to be impossible to obfuscate
14
![Page 15: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/15.jpg)
What does it get you?• Attackers cannot transform the key into a known form
• Algorithm or code has to be lifted or leveraged
• Prevents BORE (break once run everywhere) attacks
• Can’t plug into standard cryptography libraries
• Nation-state attackers use specialized hardware
• Traitor tracing
• You can rotate keys on a schedule since cost to break is bounded
15
![Page 16: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/16.jpg)
Which algorithms?• Symmetric Key Cryptography
• DES
• AES
!
• Public Key Cryptography?
• RSA (maybe?)
• ECC (maybe?)
16
![Page 17: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/17.jpg)
Example Implementation• 128-bit AES
• 16 byte key, 16 byte message block
• What about replacing implementation with a lookup table?
• Map from input to output indexed by order
• Lookup table has minimal information about structure of algorithm — black box
• 2^128 possible inputs of size 128bit
• Storage of 5 x 10^27 terabytes — too much
17
![Page 18: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/18.jpg)
Example Implementation• AES Internals
• SubBytes — Byte-wise substitution
• ShiftRows — Permutation of bytes
• MixColumns — Linear combination of bytes
• AddRoundKeys — XOR a piece of the key
18
![Page 19: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/19.jpg)
AES
19
![Page 20: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/20.jpg)
Example Implementation• AddRoundKey, SubBytes
• Can be merged into one operation — byte-wise lookup table called a T-box
• MixColumns
• Linear combination — byte-wise lookup table for constants
• Nibble-wise lookup tables for linear factors
• Lots of lookup tables can be combined
20
![Page 21: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/21.jpg)
Internal Encoding• Composition of functions
!
!
!
!
!
!
• Chaining random lookup tables
21
![Page 22: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/22.jpg)
White-box compiler• Inputs
• White box description
• Random seed
• Key value
• Output
• Implementation of encryption/decryption for given key
22
4663900
![Page 23: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/23.jpg)
Costs• Key size — Pre-scheduling causes key inflation
• Memory cost — Large lookup tables
• Performance cost — 5-10x in some cases
• Engineering cost — Integration, other anti-tampering techniques
23
![Page 24: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/24.jpg)
In the industry• Mostly licensed for digital rights management — $$$
• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)
!
• No commercial grade open source implementation
• An affordable solution is needed
24
![Page 25: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/25.jpg)
Introducing Open WhiteBox
25
![Page 26: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/26.jpg)
Introducing Open WhiteBox• Group of individuals working to make white box cryptography accessible to the public
• Open source white box compiler (using LLVM)
• Working towards implementation of best current academic proposals
• Initial focus on server-side applications
!
• Participate in the conversation on Twitter @OpenWhiteBox
26
![Page 27: Sullivan white boxcrypto-baythreat-2013](https://reader034.vdocument.in/reader034/viewer/2022042815/55851798d8b42ac10a8b5378/html5/thumbnails/27.jpg)
Questions?
27
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
@OpenWhiteBox