Challenges in White-Box Cryptography...White-box Sowaresecurity . * Subjectofthistalk. 6/32. White-boxcryptography Outline 1 Introducon 2 White-boxcryptography 3 Challengesinwhite-boxcryptography

Challenges in White-Box Cryptography

Michaël P 1

1NXP Semiconductors

Early Symmetric Crypto 2015, Clervaux, January 12th, 2015

1 / 32

Introduc on

Outline

1 Introduc on

2 White-box cryptography

3 Challenges in white-box cryptography

2 / 32

Introduc on

Happy New Year 2015!

Why is the cryptographer against nuclear energy?

3 / 32

Introduc on

Happy New Year 2015!

Why is the cryptographer against nuclear energy?

Because he does not like collisions of course!

3 / 32

Introduc on

Symmetric cryptography in 2015

▶ We have a few block ciphers available▶ Pre AES era— (DES), Triple DES, IDEA, Blowfish, RC5...▶ AES— Rijndael, MARS, RC6, Serpent, Twofish.▶ Nessie— Camellia, MISTY1, SHACAL-2...

▶ We also need stream ciphers▶ Pre eStream era— A5/1, A5/2, SNOW 2.0/3G...▶ eStream—Grain, HC-128/256, Mickey, Rabbit, Salsa20/12, SOSEMANUK,

Trivium...▶ Let’s add some hash func ons...

▶ Pre SHA-3 era—MD5, RIPEMD-160, SHA-1, SHA-2, Whirlpool,(Radiogatún)...

▶ SHA3— Keccak, BLAKE, Grøstl, JH, Skein, (+2nd round candidates)▶ We also cover lightweight use cases

▶ CLEFIA, Noekeon, PRESENT, Photon, Prince, Simon...

( ... Sorry to anyone I forgot :-) )4 / 32

Introduc on









Introduc on









Introduc on









Introduc on

What to do next?

2015 NIST releases the SHA-3standard.

2018 2nd round candidates forCAESAR are known!

May 2021 NIST starts a newcompe on.

June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).

2046 50th anniversary for TripleDES. S ll not broken.

Usage of Triple DES is approved un l 2030.

5 / 32

Introduc on

What to do next?







5 / 32

Introduc on

What to do next?







5 / 32

Introduc on

What to do next?







5 / 32

Introduc on

What to do next?







5 / 32

Introduc on

What to do next?







5 / 32

Introduc on

What to do next? Seriously...

▶ Fast and secure: Let’s call it done!▶ Three remaining axes:

Small box Lightweight crypto.Grey-box Built-in SCA &

fault-injec onresistance.

White-box So ware security.

6 / 32

Introduc on

What to do next? Seriously...

▶ Fast and secure: Let’s call it done!▶ Three remaining axes:

Small box Lightweight crypto.Grey-box Built-in SCA &

fault-injec onresistance.

White-box So ware security.⇑

Subject of this talk.

6 / 32

White-box cryptography

Outline

1 Introduc on



7 / 32


Tradi onal Black-box model

Encryption / Decryption

Plaintext / Ciphertext Ciphertext / Plaintext

▶ Similar to Dolev-Yao’s a acker model for communica on networks.

8 / 32


But... cryptography is now everywhere!

▶ To secure communica one.g., email, web browsing...

▶ To secure digital assetse.g., digital right managements

▶ To secure datae.g., cloud storage, disk encryp on

▶ To secure financial transac onse.g., online payment, smart cards

▶ To secure our iden tye.g., Belgian e-ID card

It’s me to switch model...

9 / 32


Grey-box model



Passive:• Time• Power• EM radiation

Active:• Inject faults• Modify hardware• Modify environment

▶ The industry has already started to integrate this model.▶ Both in the products but also in the cer fica on schemes

▶ Smart cards, secure elements...▶ Common Criteria, banking cer fica on...

10 / 32


Beyond the grey-box model

Virtual cards

CloudBanking

Transport DRM

eHealth

▶ We witness a shi from hardware toso ware.

▶ Rise of mobile applica ons requiringsecurity and cryptography.

▶ Banking applica ons...▶ Cloud storage, enterprise email...▶ DRM...

▶ Require protec on against▶ The , unlegi mate use, malwares...

▶ The grey-box model is insufficient inthis case.

11 / 32


White-box model



• Static analysis• Dynamic analysis• Inspect memory

• Inject faults• Alter implementation

(Chow, Eisen, Johnson and van Oorschot, 2002)

▶ A acker has▶ full access to the cryptography algorithm,▶ full control over its execu on environment, and▶ unlimited amount of queries!

▶ Model is extremely favorable to the a acker and changes considerablythe way we think about cryptography⇒ white-box cryptography.

12 / 32


Why white-box cryptography?

Good

▶ No need for HW▶ Higher compa bility

across pla orms▶ Easy to update▶ Easy to distribute▶ Low cost▶ No huge investment

(cer fied factories)▶ Faster me to market▶ Extra features!

Bad

▶ No cer fica on scheme▶ Though security model▶ Slower, unprac cal?

13 / 32


Extra features

White-box implementa ons may offer extra features such asAsymmetry Turn a symmetric cipher into an asymmetric version, e.g.

by offering only an encrypt() API.Diversifica on Each implementa on may be diversified, even if using the

same key.Func on binding For instance, bind decryp on with authorisa on request.Pla orm binding Implementa on produces correct results only on a given

device.Traitor tracing Implementa on hides a fingerprint that can be revealed

remotely.

14 / 32


Commercial solu ons

▶ Several companies provide white-box cryptography solu ons▶ Arxan▶ Irdeto / Cloakware▶ Inside Secure / Metaforic▶ Philips▶ SafeNet▶ whiteCryp on

▶ These companies already use or plan to use white-box cryptographysolu ons

▶ Apple▶ Microso▶ NAGRA▶ Ne lix▶ Sony▶ ...

▶ Let’s see one example.15 / 32


Example: whiteCryp on

▶ whiteCryp on provides WB libraries with ECC, AES, DES, TDES, SHA...▶ Mul -Channel Finite Automata Code Transforma on (MCFACT).

MCFACT is based on composi on of finite automata.▶ Finite automata▶ Encoders▶ Automata composi on

▶ Security based on the difficulty to factor composi on of two (non-linear)automata (Bruce Schneier, 1996).

▶ Uses similar principles as finite automaton public-key cryptosystems(Renji Tao, Shihua Chen,1985).

16 / 32



17 / 32



17 / 32



17 / 32



17 / 32



17 / 32



17 / 32

Challenges in white-box cryptography

Outline

1 Introduc on



18 / 32


On the security of white-box cryptography

▶ All white-box AES implementa ons published in the academic literaturehave been broken (De Mulder, 2014).

▶ This does not cover proprietary solu ons from commercial companies(Irdeto, Nagra, whiteCryp on, SafeNet).

▶ ... However, as of today, no (published) break-through with regard tosecure white-box techniques.

Ques on

Secure¹ white-box cryptography implementa on: chimera or reality?

¹i.e., as secure as black-/grey-box equivalent.19 / 32


Two illustra ons of secure white-box implementa ons

The super look-up table!▶ This is 5× 1027TB for AES.▶ So “secure¹” but … imprac cal.

The unfathomable state machine!▶ A device we can’t analyze easily.▶ but cannot built … yet.

¹We’ll revisit this.20 / 32


Two illustra ons of secure white-box implementa ons

The super look-up table!▶ This is 5× 1027TB for AES.▶ So “secure¹” but … imprac cal.

The unfathomable state machine!▶ A device we can’t analyze easily.▶ but cannot built … yet.

¹We’ll revisit this.20 / 32


On the speed of white-box implementa on

▶ Let’s assume a “secure” WB implementa on is possible. This callsimmediately for the next ques on.

Ques on

Fast and secureWB crypto implementa on: chimera or reality?

▶ For instance, current WB-AES implementa ons apply speed-securitytradeoffs.

▶ Reuse S-box tables▶ Reuse internal encodings▶ ...

▶ Currently tradeoffs are more in favor of speed...

21 / 32



▶ Fast and secure? Thoughques on.

▶ Let’s ask Raymond...

▶ Ok... Let’s assume it’s feasible.▶ Assume we have at hand a fast

and secure WB-AESimplementa on.

▶ What can we do with it?

22 / 32








22 / 32








22 / 32


Crypto nerds vs. reality

23 / 32


Crypto nerds vs. reality – white-box version

The white-box lock The “$5 wrench”

A ackers:▶ always go for the weakest link.▶ are not respec ul.▶ have lot of imagina on.

24 / 32


Keep the real target in mind!

▶ Keys are just necessary evils, they are not the actual assets.▶ To protect these assets, the implementa on must

▶ keep the key value secret, and▶ protect how the key is used.

▶ Remember: the a acker’s mo ve is not to extract the key value but toget what the key gives access to.

▶ Examples:

DRM apps ⇒ musics, movies...Banking apps ⇒ payment authorisa on, money...Secure vault ⇒ file content...

25 / 32


A gradient of a acker’s targets

26 / 32


Back to the white-box model

Application

Input Output

• Static analysis• Dynamic analysis• Inspect memory

• Inject faults• Alter implementation

▶ Froma secure white-box cryptography implementa on

toan implementa on that is secure in the white-box model.

▶ In the la er, the meaning of “secure” depends on both▶ the security objec ves, and▶ the a ack model.

27 / 32


Secure in the white-box model?

Ques on

An implementa on that is secure in the WB model: chimera or reality?

▶ Most security systems must at least achieve the following objec ves:1. Confiden ality Done!2. Integrity3. Authorisa on4. An -replay5. Unclonability

▶ We can imagine how to provide integrity …▶ Authorisa on seems much harder (against an all-seeing a acker) …▶ As for an -replay and unclonability: no solu on yet…

Ques on

Is the model too strong? What are we missing to achieve these objec ves?28 / 32



Ques on




Ques on




Ques on




Ques on



Is binding the (new) key?

“When the a acker has knowledge of the internal details of a (cryptographic)algorithm, the way how it is implemented is the sole remaining line of

defense.” (Chow et al., 2002)

▶ Use the same technique to provide the (missing) security objec ves.▶ The same applies for providing extra features.

▶ e.g., Authorisa on is typically a case of func on binding.

▶ Good white-box designs must then▶ Protect the value of cryptographic keys,▶ Be flexible enough to bind with other func ons.

29 / 32


Learn the lessons from the grey-box model

▶ Remember, the white-box model gives the a acker▶ Full access to and▶ Full control over the execu on environment, and▶ unlimited amount of queries.

▶ This is a bargain for any grey-box a acker.▶ It seems that current design does not address this a ack vector.

Ques on

How to take into account the lessons we learned from grey-boximplementa ons?

30 / 32

Conclusions

Conclusions

▶ White-box cryptography is fun, interes ng and may offer cool extrafeatures.

▶ Commercial products and usage is growing.▶ Protec ng the key value is not enough.▶ No solu on yet to some core security objec ves.

▶ Is the model too strong?

▶ We must learn lessons from the grey-box model.

31 / 32

Ques ons

Ques ons?

Contact me atmichael-DOT-peeters-AT-nxp-DOT-com

DISCLAIMER: No WB design was hurt during the making of this presenta on.

32 / 32

michael -DOT- peeters -AT- nxp -DOT- com

Challenges in White-Box Cryptography...White-box Sowaresecurity . * Subjectofthistalk. 6/32. White-boxcryptography Outline 1 Introducon 2 White-boxcryptography 3 Challengesinwhite-boxcryptography

Documents