White-box Cryptography -BayThreat 2013

1,934 views

Published on

In this talk, we discuss white box cryptography, a technique used to protect cryptographic keys from a local attacker. In keeping with the theme of building and breaking security, we will discuss the challenges involved in building a white-box crypto system.

Published in: Technology, Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
1,934
On SlideShare
0
From Embeds
0
Number of Embeds
80
Actions
Shares
0
Downloads
36
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

White-box Cryptography -BayThreat 2013

  1. 1. BayThreat December 6th, 2013 ! Nick Sullivan @grittygrease White-box Cryptography What do you do when they’re in your server room?
  2. 2. My Background • Systems Engineering at CloudFlare • Cryptography at Apple • Threat analysis at Symantec • M.Sc. in Cryptography • Undergraduate Pure Mathematics !2
  3. 3. What this talk is about • Introduction to white-box cryptography • Why we need this now more than ever • Key concepts for implementations • Steps for the future — with an announcement !3
  4. 4. Let’s talk about physical access • If an attacker has physical access, they have everything, right? • Cold Boot, Evil Maid, Jailbreak, etc. • It only takes time ! • Solution: Lock it up! !4
  5. 5. Let’s talk about physical access • What about servers? • Where are modern servers kept? • Your own data center? • A “physically secure” co-location facility? • On a virtual machine in the cloud? • On a globally-distributed CDN? • Under which national jurisdiction? !5
  6. 6. Server Breaches Happen • How long does it take to get your secrets? • Reverse engineering skill of attacker • Diminishing cost to attacker as skills and tools accumulate ! • Wouldn’t it be great if there was a computational burden placed on the attacker for every new secret? • You could rotate your secrets on a fixed schedule !6
  7. 7. Standard Crypto Model (Black-box) Alice Bob Eve adversary icons: Sam Small !7
  8. 8. Side-channel Attacks (Grey-box) Alice Bob Eve adversary icons: Sam Small !8
  9. 9. White-box threat model Eve Alice Bob adversary icons: Sam Small !9
  10. 10. White-box threat model Aleve Bob adversary icons: Sam Small !10
  11. 11. White-box Cryptography • Cryptographic implementations that hide the key from everyone • Attackers on the wire • Attackers outside the house • Attackers inside the house (evil maids included) !11
  12. 12. White-box cryptography • Protection against key extraction in the strongest possible threat model • Secures keys, not data • White-box attackers no better off than black-box attackers !12
  13. 13. For Example • Digital Rights Management • The key protecting streams from Spotify, Netflix, etc. • Decryption and consumption of content happens in a controlled way • The attacker is the consumer “Aleve” !13
  14. 14. White-box cryptography • History • Invented in 2002 by Chow et al. • Resurgence in academic attention in last two years — breaks, new constructions • Work in progress • No perfect white-boxes, only relatively strong ones • General function obfuscator is not possible (Barak, 2001) • Ciphers are not proven to be impossible to obfuscate !14
  15. 15. What does it get you? • Attackers cannot transform the key into a known form • Algorithm or code has to be lifted or leveraged • Prevents BORE (break once run everywhere) attacks • Can’t plug into standard cryptography libraries • Nation-state attackers use specialized hardware • Traitor tracing • You can rotate keys on a schedule since cost to break is bounded !15
  16. 16. Which algorithms? • Symmetric Key Cryptography • DES • AES ! • Public Key Cryptography? • RSA (maybe?) • ECC (maybe?) !16
  17. 17. Example Implementation • 128-bit AES • 16 byte key, 16 byte message block • What about replacing implementation with a lookup table? • Map from input to output indexed by order • Lookup table has minimal information about structure of algorithm — black box • 2^128 possible inputs of size 128bit • Storage of 5 x 10^27 terabytes — too much !17
  18. 18. Example Implementation • AES Internals • SubBytes — Byte-wise substitution • ShiftRows — Permutation of bytes • MixColumns — Linear combination of bytes • AddRoundKeys — XOR a piece of the key !18
  19. 19. AES !19
  20. 20. Example Implementation • AddRoundKey, SubBytes • Can be merged into one operation — byte-wise lookup table called a T-box • MixColumns • Linear combination — byte-wise lookup table for constants • Nibble-wise lookup tables for linear factors • Lots of lookup tables can be combined !20
  21. 21. Internal Encoding • Composition of functions • Chaining random lookup tables ! ! ! ! ! ! !21
  22. 22. White-box compiler • Inputs • White box description • Random seed • Key value 4663900 • Output • Implementation of encryption/decryption for given key !22
  23. 23. Costs • Key size — Pre-scheduling causes key inflation • Memory cost — Large lookup tables • Performance cost — 5-10x in some cases • Engineering cost — Integration, other anti-tampering techniques !23
  24. 24. In the industry • Mostly licensed for digital rights management — $$$ • Practical breaks (marcan42, Alberto Battistello, Phrack Magazine) ! • No commercial grade open source implementation • An affordable solution is needed !24
  25. 25. Introducing Open WhiteBox !25
  26. 26. Introducing Open WhiteBox • Group of individuals working to make white box cryptography accessible to the public • Open source white box compiler (using LLVM) • Working towards implementation of best current academic proposals • Initial focus on server-side applications ! • Participate in the conversation on Twitter @OpenWhiteBox !26
  27. 27. Questions? BayThreat December 6th, 2013 ! Nick Sullivan @grittygrease @OpenWhiteBox !27

×