The Long-Short-Key Primitive and Its Applications to Key Security Mariusz H. Jakubowski Ramarathnam Venkatesan Microsoft Research Matthew Cary Google Matthias Jacob Nokia International Workshop on Security: IWSEC ’08 Kagawa, Japan November 25-27, 2008
24
Embed
The Long-Short-Key Primitive and Its Applications to Key Security
The Long-Short-Key Primitive and Its Applications to Key Security. Matthew Cary Google Matthias Jacob Nokia. Mariusz H. Jakubowski Ramarathnam Venkatesan Microsoft Research. International Workshop on Security: IWSEC ’08 Kagawa, Japan November 25-27, 2008. Introduction. - PowerPoint PPT Presentation
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The Long-Short-Key Primitive and Its Applications to Key Security
Mariusz H. Jakubowski
Ramarathnam Venkatesan
Microsoft Research
Matthew CaryGoogle
Matthias Jacob
Nokia
International Workshop on Security: IWSEC ’08
Kagawa, Japan
November 25-27, 2008
11/27/08 2
Introduction
• Cryptographic (in)security on open PCs– Software susceptible to observation and
modification– Secret data visible at runtime in memory– Key-secrecy assumption violated
• Some current contexts:– DRM (secured audio, video, e-books)– Full disk encryption (BitLocker)– Authentication (passwords, biometrics)
11/27/08 3
Introduction
• Traditional approaches may not suffice:– Obfuscation– Tamper-resistance
• Goals of our work:– Propose a novel approach to protect keys.– Present several applications.– Report on an implementation.
11/27/08 4
Overview
• Introduction• Background• The long-short-key primitive• Implementation• Applications• Conclusion
Protection of cryptographic keys on open systems
11/27/08 5
Software Protection
• Obfuscation– Code “difficult” to understand and modify– Many ad hoc techniques in popular use– Theoretical results often negative
• Each key K transformed into code that encrypts or decrypts without revealing K.
• K should be difficult to extract from code.
– Security often not guaranteed• Typically no practical security proofs• Many schemes released, broken and “fixed”
11/27/08 6
Other Related Areas
• Bounded-storage models– Maurer, Dziembowski et al.– Forward-secure storage
• Large ciphertexts• Partial ciphertext leakage does not reveal any plaintext,
even with correct key.
– Intrusion resilience via bounded storage• Large keys• Partial key leakage does not facilitate decryption.
• Dynamic key generation and refresh
11/27/08 7
Overview
• Introduction• Background• The long-short-key primitive• Implementation• Applications• Conclusion
Protection of cryptographic keys on open systems
11/27/08 8
Long-Short-Key Primitive
• Goal: Protect a secret key K.
• Basic approach:
– Privately: Encrypt or decrypt with “short” key K.– Publicly: Encrypt or decrypt with a “long” key L derived
from K.
An alternative approach to key hiding
L = key_expand(K)EK,L(P) = CDK,L(C) = P
11/27/08 9
Long-Short-Key Security
• Security model:– System is fully open to inspection and modification.– Adversary can access only L, not K.– K should be “hard” to obtain from L.
• Desired (provable) security property:– Minimum size of any hack is O(|L|).– Forces attackers to redistribute large volume of key material.
L = key_expand(K)EK,L(P) = CDK,L(C) = P
11/27/08 10
Long-Short-Key Security
• Implementation of key_expand(K)– Secure pseudorandom generator– Stream cipher (e.g., RC4 or a random-access cipher)
• This enforces the security property (minimum code size needed to implement encryption and decryption if K is not available).
L = key_expand(K)EK,L(P) = CDK,L(C) = P
11/27/08 11
Using the Long Key
• Let long key L = (X1, X2, …, XN).– Treat blocks X1, X2, …, XN as cipher keys.
– Use a subset S of (X1, X2, …, XN) as a sequence of keys for cryptographic operations.
• Modes of operation– Sequential: S = Xi, Xi+1, …
– Counter-based: S = XE(i), XE(i+1), …
– Selective: S = XE(i), XC[0], XC[1], …
i = IV or initial counter, E(i) = encryption of i, C[k] = ciphertext block k (mod N)
11/27/08 12
Modes of OperationMethods of choosing subsets of long key for encryption and decryption
• Sequential– S = Xi, Xi+1, …– Consecutive sequence of long-key blocks used as keys– Simplest method with best performance
• Counter-based– S = XE(i), XE(i+1), …– Randomized sequence of blocks– Better variability of block selection
• Selective– S = XE(i), XC[0], XC[1], …– Randomized and ciphertext-dependent sequence of blocks– Most variability and unpredictability of block selection
i = IV or initial counter, E(i) = encryption of i, C[k] = ciphertext block k (mod N)
11/27/08 13
Overview
• Introduction• Background• The long-short-key primitive• Implementation• Applications• Conclusion
Protection of cryptographic keys on open systems
11/27/08 14
Implementation
• AES-based framework– Blocks of long key serve as distinct AES keys.– Each key generates an instance of AES code.– AES instances are merged and interleaved.
• Individualization and obfuscation– Injection of “chaff” code– Conversion of operations to table lookups– Instruction interleaving– Temporary corruption and restoration of data– …
11/27/08 15
Iterated ProtectionA framework for design, implementation and analysis of
obfuscation methods
• Obfuscation operators are applied repeatedly over already obfuscated code.
• Interaction among operators leads to complex (emergent) code behavior and structure.– “Whole greater than the sum of its parts”– Security bootstrapped even via simple iterated primitives– Inspired by cellular automata and rounds in cryptography
• Methodology may offer hope for security analysis.– Metrics to estimate complexity of breaking– Foundation for analysis of practical obfuscation methods– Just one element to aid with comprehensive approaches
11/27/08 16
An Analogy: Iterated Translation“Weakly obfuscating” transformations that create complexity when iterated:
• Original:Code-obfuscation and tamper-resistance technologies aim to protect software against reverse engineering and hacking. Such methods include code-integrity verification, control-flow obfuscation, data encoding, anti-debugging, and many others. This technology is useful for applications such as content protection and Digital Rights Management, where code must execute as intended in order to enforce anti-piracy measures. Software protection is also helpful against viruses, worms, trojans, rootkits, and malicious code in general.
• English German French Spanish English Chinese English (via Babel Fish):Causes to change the dark code and the payment technology resistance cares for to protect r3etechnique and the Zerhacken program computer science opposition. Such method including code data fullness reconsideraci3on, Steuerung-fliessen changes darkly, compiles the statute book, AntiAuspruefen and other people. This technology is the useful legal management the protection which likely satisfies for the application and, in the code numeral the application must, expect there, imposes the antipiraterie set. The computer science program protection is the very useful opposition virus, the endless screw, Turlogh 伊人 , rootkits and code boeswilligen in brief to general.
• English German English German English German English:If you code Kollusion and resistance technologies supplying, the goal away away of protecting for of of software from back technology and the Zerhacken. Such methods close completeness of the code test, taxliquid the Kollusion, the data coding out and anti-examining and that differently the many. This technology is for applications like content protection and must the right management, which is useful, the code digitally inside accomplish, for Piraterie mass anti forces there been supposed. Software protection is useful generally also against viruses, continuous screws, trojans, root installation of sentences and bad-ready code.
11/27/08 17
Example Protection OperatorsComplexity derived from iteration and recombination
• Oblivious hashing– Injection of code to perform integrity checks of execution
• Hash updates after state changes (e.g., assignments and branches)• Periodic checks for hash correctness
– First hashing round verifies execution of target code.– Each subsequent round verifies execution of all previous rounds (along with
target code).
int x = 123;
if (GetUserInput() > 10){ x = x + 1;}else{ printf("Hello\n");}
INITIALIZE_HASH(hash1);
int x = 123;UPDATE_HASH(hash1, x);
if (GetUserInput() > 10){ UPDATE_HASH(hash1, BRANCH_ID_1); x = x + 1; UPDATE_HASH(hash1, x);}else{ UPDATE_HASH(hash1, BRANCH_ID_2); printf("Hello\n");}
VERIFY_HASH(hash1);
11/27/08 18
Example Protection OperatorsTwo iterated rounds of oblivious hashing
int x = 123;
if (GetUserInput() > 10){ x = x + 1;}else{ printf("Hello\n");}
INITIALIZE_HASH(hash1);
int x = 123;UPDATE_HASH(hash1, x);
if (GetUserInput() > 10){ UPDATE_HASH(hash1, BRANCH_ID_1); x = x + 1; UPDATE_HASH(hash1, x);}else{ UPDATE_HASH(hash1, BRANCH_ID_2); printf("Hello\n");}
VERIFY_HASH(hash1);
INITIALIZE_HASH(hash1);INITIALIZE_HASH(hash2);
int x = 123;UPDATE_HASH(hash1, x);UPDATE_HASH(hash2, x);UPDATE_HASH(hash2, hash1);
if (GetUserInput() > 10){ UPDATE_HASH(hash1, BRANCH_ID_1); UPDATE_HASH(hash2, BRANCH_ID_1); UPDATE_HASH(hash2, hash1); x = x + 1; UPDATE_HASH(hash1, x); UPDATE_HASH(hash2, x); UPDATE_HASH(hash2, hash1);}else{ UPDATE_HASH(hash1, BRANCH_ID_2); UPDATE_HASH(hash2, BRANCH_ID_2); UPDATE_HASH(hash2, hash1); printf("Hello\n");}
VERIFY_HASH(hash1);VERIFY_HASH(hash2);
11/27/08 19
Example Protection OperatorsComplexity derived from iteration and recombination
• Pointer conversion– Conversion of variable references to be performed via pointers– Addition of arbitrary layers of indirection