The document discusses key recovery attacks against commercial white-box cryptography implementations. It provides an overview of white-box cryptography, existing attacks against academic white-box implementations, and the speaker's work analyzing commercial white-box implementations. The speaker's motivation is that while all academic white-box crypto has been broken, no attacks have been demonstrated on commercial versions. The talk covers side-channel attacks like correlation power analysis and differential fault analysis that have been used to break academic white-box crypto.
Key recovery attacks against commercial white-box cryptography implementation...CODE BLUE
White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation.
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and present security guides on applying white-box cryptography to services more securely.
Presentation slides of "Gaihre, Anil, et al. "Xbfs: exploring runtime optimizations for breadth-first search on gpus." Proceedings of the 28th International Symposium on High-Performance Parallel and Distributed Computing. 2019."
데이타로직 Datalogic DS6300 1D 산업용 고정식 바코드스캐너 레이저스캐너 매뉴얼HION IT
데이타로직의 고성능 DS6300 산업용 고정식 바코드스캐너는 고급 코드 복원기능 (ACR4)을 제공하며 리딩 성능이 우수합니다.
리딩범위 최대 300mm에서 2000mm의 범위를 스캔합니다.
초점 조절 가능, Flash™ (Dynamic)기술
다국어 지원의 Genius™ 설정 툴
Step-A-Head™기술
ACR4™ 코드 재조합 기술
오실레이팅 미러 모델
이더넷/ 디바이스넷/ 프로피버스 통신 지원
PackTrack™ 추적 시스템
내장 디스플레이 및 키패드
다국어 지원의 Genius™ 설정 툴
광학 : 조절가능(DS6300) Flash™
전원 : 15-30VDC, 최대15W
스캔속도 : 최대 1200scans/s
리딩범위 : 최대 300mm에서 2000mm(DS6300) 300mm에서 2500mm(DS6400)
최대해상도 : 최대 0.2mm(8mils)
통신연결 : RS232, RS485
I/O : 4 inputs, 3 outputs; 광결합
전원 : 15-30VDC, 최대15W
적용분야:
물류산업
작은 컨베이어에서의 분류
자동차, 가전제품, 식품&음료업
물류, 유통의 분류작업
ELECTRICAL CHARACTERISTICS
Power Supply : 15 to 30 Vdc
Power Consumption : 15 W max.
MECHANICAL CHARACTERISTICS
Dimensions : 113 x 110 x 99 mm (4.45 x 4.33 x 3.90 in.)
Weight :
- Linear version: 1.3 kg. (2 lb 14 oz)
- Integrated OM version: 2 kg. (4 lb 8 oz)
Case meterial : Aluminium
PERFORMANCE
Light Source : Visible Laser Diode (650 nm)
Light Receiver : Avalanche Photodiode
Max. Resolution : 0.2 mm (8 mils )
Scan Rate : 600 to 1,200 scan/s (SW adjustable)
Max. Reading Distance : See diagram
Max. Depth of Field : See diagram
Max. Reading Field : See diagram
Readable Codes : All the most used symbologies
Main Interface : RS232 / RS485 (20 mA C.L. optional)
Auxiliary Interface : RS232
Other Available Interface : Lonworks (Master/Slave), Ethernet, Devicenet, Profibus 2400
Baud Rate : 1,200 to 115,200 bauds
Input Signals : ‘Presence sensor’ plus 3 auxiliary digital inputs
Output Signals : 3 SW programmable digital outputs
Operating Modes : ‘On line’, ‘Serial On line’, ‘Continuous’, ‘Test’
LED Indecators : ‘Power ON’, ‘Phase ON’, ‘TX Data’
Display : 2 lines by 16 characters LCD
Keypad : 3 keys
Laser Classification : IEC 825 Class 2
Laser Control : Security system to turn laser OFF in case of motor slow down
ENVIRONMENT
Operating Temperature : 0 to 40 °C (32 to 104 °F),
Storage Temperature : -20 to 70 °C (-4 to 158 °F)
Protection Class : IP64 for standard models; IP65 on request
>하이온아이티
주소 : 서울 금천구 가산디지털2로 165, 1304호 (백상스타타워2차)
대표번호 : 02-2038-0018 / 이메일 : hion@hionit.com
홈페이지 : http://hionsmart.com
Muchos ingenieros de prueba electrónica están muy acostumbrados a trabajar con la interfaz de UNIX y se niegan a cambiar a Windows, basados en rumores y/o falta de información. En este entrenamiento, encontrarán lo fácil que es hacer la migración entre Unix y Windows y todas las ventajas que tiene utilizar Windows en los equipos ICT de Keysight Technologies
We are all told that we must use bind variables rather than literals in our code, and then are left to deal with the problems this causes. This issue probably still causes more performance tuning problems than any other. This presentation discusses how Oracle has handled the optimisation of statements using bind variables from version 8i to the new features in Oracle 11g and highlights some issues that still exist in version 11g.
Implementation of a digital multimeter using basic stamp2 on a professional development board. It also includes R2R ladder network for digital to analog conversion
Similar to Ahn pacsec2017 key-recovery_attacks_against_commercial_white-box_cryptography_implementations_h2spice_draft (20)
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
# Internet Security: Safeguarding Your Digital World
In the contemporary digital age, the internet is a cornerstone of our daily lives. It connects us to vast amounts of information, provides platforms for communication, enables commerce, and offers endless entertainment. However, with these conveniences come significant security challenges. Internet security is essential to protect our digital identities, sensitive data, and overall online experience. This comprehensive guide explores the multifaceted world of internet security, providing insights into its importance, common threats, and effective strategies to safeguard your digital world.
## Understanding Internet Security
Internet security encompasses the measures and protocols used to protect information, devices, and networks from unauthorized access, attacks, and damage. It involves a wide range of practices designed to safeguard data confidentiality, integrity, and availability. Effective internet security is crucial for individuals, businesses, and governments alike, as cyber threats continue to evolve in complexity and scale.
### Key Components of Internet Security
1. **Confidentiality**: Ensuring that information is accessible only to those authorized to access it.
2. **Integrity**: Protecting information from being altered or tampered with by unauthorized parties.
3. **Availability**: Ensuring that authorized users have reliable access to information and resources when needed.
## Common Internet Security Threats
Cyber threats are numerous and constantly evolving. Understanding these threats is the first step in protecting against them. Some of the most common internet security threats include:
### Malware
Malware, or malicious software, is designed to harm, exploit, or otherwise compromise a device, network, or service. Common types of malware include:
- **Viruses**: Programs that attach themselves to legitimate software and replicate, spreading to other programs and files.
- **Worms**: Standalone malware that replicates itself to spread to other computers.
- **Trojan Horses**: Malicious software disguised as legitimate software.
- **Ransomware**: Malware that encrypts a user's files and demands a ransom for the decryption key.
- **Spyware**: Software that secretly monitors and collects user information.
### Phishing
Phishing is a social engineering attack that aims to steal sensitive information such as usernames, passwords, and credit card details. Attackers often masquerade as trusted entities in email or other communication channels, tricking victims into providing their information.
### Man-in-the-Middle (MitM) Attacks
MitM attacks occur when an attacker intercepts and potentially alters communication between two parties without their knowledge. This can lead to the unauthorized acquisition of sensitive information.
### Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
1. The Key Recovery Attacks against Commercial
White-box cryptography Implementations
Sanghwan Ahn | LINE Corporation
PACSEC 2017 —Tokyo — Nov 1, 2017
2. About me
• Ahn Sanghwan(@h2spice)
• Senior security engineer, LINE Corporation
• Application security
• Security assessment
• Security design and development
• Other works related to app security
3. About this talk
• Security threats in the application
• Introduction to white-box cryptography(WBC)
• Existing attacks against published white-box implementation
• Our works against commercial white-box Implementation
• Simple security guides on applying WBC to service
5. Application security
Digital rights management
- Data encryption
- Watermarks
- Signature
End-to-End Encryption
Digital signature
Payment tokenization
- Easy payment service
- Masking sensitive data
Transport layer protection
- SSL/TLS
Authentication(id/password, biometric)
+ 2-Factor-Authentication(SMS, Call, OTP), FIDO
6. • Design of algorithms and protocols to protect a
communication channel
• End points are assumed to be trusted and safe
Alice Bob
Mallory
Traditional cryptography
7. Attacking end-point directly
Digital rights management
- Data encryption
- Watermarks
- Signature
Tamper resistant
- Anti-debug
- Integrity
- Obfuscation
End-to-End Encryption
Digital signature
Payment tokenization
- Easy payment service
- Masking sensitive data
Transport layer protection
- SSL/TLS
Authentication(id/password, biometric)
+ 2-Factor-Authentication(SMS, Call, OTP), FIDO
Mallory
9. • Binary is completely visible to an attacker
• Attacker has full access to the cryptography algorithm
• Attacker has full control over its execution environment
• Unlimited amount of queries
• Static Analysis
• Code Analysis(reverse engineering)
• Dynamic Analysis
• Debugging
• DBI(dynamic binary instrumentation)
White-box threat model
10. • Trusted execution environment(TEE)
• ARM Trustzone, Intel SGX, AMD Memory Encryption
• It’s almost safe, but not many supported devices
(mostly latest devices)
• White-box cryptography(WBC)
• All academic WBC solutions have been broken.
• No attack has been observed to date on commercial WBC
Solutions for white-box threat model
Virtual
Black box
13. Table based AES implementation
T-Box
XOR Table
ShiftRows
AddRoundKey
SubByte
MixColumns
Data flow for round one of table based AES 128 implementation, 2-9 rounds are the same.
16. WB-AES implementation - internal encoding
XOR Table
XOR Table
Internal Decoding
it cancels encoding in the previous round
T’Box
Internal Encoding
it will be canceled in the next round
T’Box transformed
With Mixing Bijection
it will be canceled in the next transformation
Data flow for second round of table based AES 128 implementation.
17. WB-AES implementation - external encoding
First
round
Input
Sender
White-box
Decode
the input Final
round
Encode
the output
Output
Receiver
Decode the output
Encode
the input
20. Possible attacks : table-decomposition
Ciphertext
Plaintext
WBC
f(…)
Table decomposition
function
21. Possible attacks : power analysis
Ciphertext
Plaintext
WBC
Recode intermediate
computation result
And then compare it
and simulated data
ShiftRows
SubBytes
MixColumns
AddRoundKey
Ciphertext
PlaintextKey
Simulator
22. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Power analysis on the hardware
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
23. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Power analysis on the hardware
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
24. Typical example of a portion of a serialized software trace of stack writes in an WBAES-128, with only two possible values: 0 or 1
Power analysis on the software
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
25. The correlation between the sensitive data and the power consumption for the 256 key guesses for a single byte
Correlation power analysis(CPA)
Reference : W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010
26. The correlation between the sensitive data and the power consumption for the 256 key guesses for 16 byte
Correlation power analysis(CPA)
Reference : W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010
27. Possible attacks : fault analysis
Faulty Ciphertext
(incorrect result)
Plaintext
WBC
Ciphertext(correct result)
Plaintext
WBC
1. Modify
intermediate data
2. Record changes to the output
3, Compare incorrect result and correct result
28. Differential fault analysis(DFA)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumn
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
⊕
⊕
=
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
29. Differential fault analysis(DFA)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumn
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
E7 00 00 00
00 00 00 51
00 00 47 00
00 99 00 00
Error
⊕
⊕
⊕= =
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
30. 87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumn
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
⊕
⊕
⊕= =
Differential fault analysis(DFA)
E7 00 00 00
00 00 00 51
00 00 47 00
00 99 00 00
Error
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
31. Secret Key
4A 32 4D 72 39 33 33 6C
61 54 4E 6B 32 4D 4A 30
WB Engine
Protected Key
49 D8 AD DC 2B AE 89 D1
EE 67 D0 5F CB F3 5C 07
35 2D B4 93 F1 63 D8 51
DC 58 BB DA E0 9A 60 0B
11 6E 12 15 B9 53 0E 66
F6 34 98 43 AC 80 7D F7
DA 02 DF 95 66 21 AE B4
5F 9E 7F 13 75 35 C3 95
5B D6 7A 81 4E 75 7D 55
56 CE 47 69 32 5A 5E D8
12 15 DA E0 2D 2B AE D8
…
Commercial white-box implementation
32. Secret Key
4A 32 4D 72 39 33 33 6C
61 54 4E 6B 32 4D 4A 30
WB Engine
Protected Key
49 D8 AD DC 2B AE 89 D1
EE 67 D0 5F CB F3 5C 07
35 2D B4 93 F1 63 D8 51
DC 58 BB DA E0 9A 60 0B
11 6E 12 15 B9 53 0E 66
F6 34 98 43 AC 80 7D F7
DA 02 DF 95 66 21 AE B4
5F 9E 7F 13 75 35 C3 95
5B D6 7A 81 4E 75 7D 55
56 CE 47 69 32 5A 5E D8
12 15 DA E0 2D 2B AE D8
…
It's very difficult to recover protected key to plain key
Commercial white-box implementation
33. • Side channel attacks
• Correlation Power analysis (CPA)
• Differential Fault Analysis (DFA)
• Control flow visualization
White-box cryptanalysis — existing research
References
- Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
- Paul Bottinelli and Joppe W. Bos - Computational Aspects of Correlation Power Analysis
- Eloi Sanfelix, Cristofaro Mune, Job de Haas - Unboxing The White-Box: Practical Attacks Against Obfuscated Ciphers
34. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Cryptographic primitive
Reference : Kevin Meritt, “Differential Power Analysis attacks on AES”
35. White-box cryptanalysis — existing research
• Side channel attacks
• Correlation Power analysis (CPA)
• Differential Fault Analysis (DFA)
• Control flow visualization
References
- Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
- Paul Bottinelli and Joppe W. Bos - Computational Aspects of Correlation Power Analysis
- Eloi Sanfelix, Cristofaro Mune, Job de Haas - Unboxing The White-Box: Practical Attacks Against Obfuscated Ciphers
47. Taint analysis for simple-cipher
0x4200986: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34AE: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34B3: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34B8: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34BD: (in /lib/i386-linux-gnu/libc-2.21.so)
…
0x8181ABA: (in Commercial-SimpleWB-AES)
0x8181AC4: (in Commercial-SimpleWB-AES)
0x8181ACC: (in Commercial-SimpleWB-AES)
0x8181AD0: (in Commercial-SimpleWB-AES)
0x8181AE0: (in Commercial-SimpleWB-AES)
0x8181AE4: (in Commercial-SimpleWB-AES)
0x8181AEE: (in Commercial-SimpleWB-AES)
0x8181AF2: (in Commercial-SimpleWB-AES)
0x8181B04: (in Commercial-SimpleWB-AES)
0x8181B08: (in Commercial-SimpleWB-AES)
0x8181B10: (in Commercial-SimpleWB-AES)
0x8181B14: (in Commercial-SimpleWB-AES)
0x8181B24: (in Commercial-SimpleWB-AES)
0x8181B28: (in Commercial-SimpleWB-AES)
0x8181B32: (in Commercial-SimpleWB-AES)
…
Cryptographic
primitive
66. The way to use WBC safer in apps
• No single key for everything
• No hardcoded key(protected key)
• No static IV
• Use asymmetric crypto algorithm based on WBC
(RSA, Elliptic curves … )
• Use tamper resistant embedded integrity checksums
• Use device binding