Download - White-box Cryptography -BayThreat 2013
![Page 1: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/1.jpg)
White-box CryptographyWhat do you do when they’re in your server room?
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
![Page 2: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/2.jpg)
My Background• Systems Engineering at CloudFlare
• Cryptography at Apple
• Threat analysis at Symantec
• M.Sc. in Cryptography
• Undergraduate Pure Mathematics
!2
![Page 3: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/3.jpg)
What this talk is about• Introduction to white-box cryptography
• Why we need this now more than ever
• Key concepts for implementations
• Steps for the future — with an announcement
!3
![Page 4: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/4.jpg)
Let’s talk about physical access• If an attacker has physical access, they have everything, right?
• Cold Boot, Evil Maid, Jailbreak, etc.
• It only takes time
!
• Solution: Lock it up!
!4
![Page 5: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/5.jpg)
Let’s talk about physical access• What about servers?
• Where are modern servers kept?
• Your own data center?
• A “physically secure” co-location facility?
• On a virtual machine in the cloud?
• On a globally-distributed CDN?
• Under which national jurisdiction?
!5
![Page 6: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/6.jpg)
Server Breaches Happen• How long does it take to get your secrets?
• Reverse engineering skill of attacker
• Diminishing cost to attacker as skills and tools accumulate
!
• Wouldn’t it be great if there was a computational burden placed on the attacker for every new secret?
• You could rotate your secrets on a fixed schedule
!6
![Page 7: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/7.jpg)
Standard Crypto Model (Black-box)
!7
adversary icons: Sam Small
Alice Bob
Eve
![Page 8: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/8.jpg)
Side-channel Attacks (Grey-box)
!8
adversary icons: Sam Small
Alice Bob
Eve
![Page 9: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/9.jpg)
White-box threat model
!9
adversary icons: Sam Small
Alice Bob
Eve
![Page 10: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/10.jpg)
White-box threat model
!10
adversary icons: Sam Small
Aleve Bob
![Page 11: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/11.jpg)
White-box Cryptography• Cryptographic implementations that hide the key from everyone
• Attackers on the wire
• Attackers outside the house
• Attackers inside the house (evil maids included)
!11
![Page 12: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/12.jpg)
White-box cryptography• Protection against key extraction in the strongest possible threat model
• Secures keys, not data
• White-box attackers no better off than black-box attackers
!12
![Page 13: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/13.jpg)
For Example• Digital Rights Management
• The key protecting streams from Spotify, Netflix, etc.
• Decryption and consumption of content happens in a controlled way
• The attacker is the consumer “Aleve”
!13
![Page 14: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/14.jpg)
White-box cryptography• History
• Invented in 2002 by Chow et al.
• Resurgence in academic attention in last two years — breaks, new constructions
• Work in progress
• No perfect white-boxes, only relatively strong ones
• General function obfuscator is not possible (Barak, 2001)
• Ciphers are not proven to be impossible to obfuscate
!14
![Page 15: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/15.jpg)
What does it get you?• Attackers cannot transform the key into a known form
• Algorithm or code has to be lifted or leveraged
• Prevents BORE (break once run everywhere) attacks
• Can’t plug into standard cryptography libraries
• Nation-state attackers use specialized hardware
• Traitor tracing
• You can rotate keys on a schedule since cost to break is bounded
!15
![Page 16: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/16.jpg)
Which algorithms?• Symmetric Key Cryptography
• DES
• AES
!
• Public Key Cryptography?
• RSA (maybe?)
• ECC (maybe?)
!16
![Page 17: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/17.jpg)
Example Implementation• 128-bit AES
• 16 byte key, 16 byte message block
• What about replacing implementation with a lookup table?
• Map from input to output indexed by order
• Lookup table has minimal information about structure of algorithm — black box
• 2^128 possible inputs of size 128bit
• Storage of 5 x 10^27 terabytes — too much
!17
![Page 18: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/18.jpg)
Example Implementation• AES Internals
• SubBytes — Byte-wise substitution
• ShiftRows — Permutation of bytes
• MixColumns — Linear combination of bytes
• AddRoundKeys — XOR a piece of the key
!18
![Page 19: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/19.jpg)
AES
!19
![Page 20: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/20.jpg)
Example Implementation• AddRoundKey, SubBytes
• Can be merged into one operation — byte-wise lookup table called a T-box
• MixColumns
• Linear combination — byte-wise lookup table for constants
• Nibble-wise lookup tables for linear factors
• Lots of lookup tables can be combined
!20
![Page 21: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/21.jpg)
Internal Encoding• Composition of functions
!
!
!
!
!
!
• Chaining random lookup tables
!21
![Page 22: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/22.jpg)
White-box compiler• Inputs
• White box description
• Random seed
• Key value
• Output
• Implementation of encryption/decryption for given key
!22
4663900
![Page 23: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/23.jpg)
Costs• Key size — Pre-scheduling causes key inflation
• Memory cost — Large lookup tables
• Performance cost — 5-10x in some cases
• Engineering cost — Integration, other anti-tampering techniques
!23
![Page 24: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/24.jpg)
In the industry• Mostly licensed for digital rights management — $$$
• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)
!
• No commercial grade open source implementation
• An affordable solution is needed
!24
![Page 25: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/25.jpg)
Introducing Open WhiteBox
!25
![Page 26: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/26.jpg)
Introducing Open WhiteBox• Group of individuals working to make white box cryptography accessible to the public
• Open source white box compiler (using LLVM)
• Working towards implementation of best current academic proposals
• Initial focus on server-side applications
!
• Participate in the conversation on Twitter @OpenWhiteBox
!26
![Page 27: White-box Cryptography -BayThreat 2013](https://reader038.vdocument.in/reader038/viewer/2022103016/554a2fb1b4c90542548b53c1/html5/thumbnails/27.jpg)
Questions?
!27
BayThreat
December 6th, 2013
!Nick Sullivan
@grittygrease
@OpenWhiteBox