The document discusses white-box cryptography, emphasizing its relevance in securing sensitive data against attackers with physical access to systems. It outlines the technology's capabilities, limitations, and potential applications, particularly in digital rights management. Additionally, it introduces the 'Open Whitebox' initiative aimed at making white-box cryptography more accessible through open-source tools and community collaboration.

1. White-box Cryptography
What do you do when they’re in your server room?
BayThreat
December 6th, 2013
!
Nick Sullivan
@grittygrease

2. My Background
• Systems Engineering at CloudFlare
• Cryptography at Apple
• Threat analysis at Symantec
• M.Sc. in Cryptography
• Undergraduate Pure Mathematics
2

3. What this talk is about
• Introduction to white-box cryptography
• Why we need this now more than ever
• Key concepts for implementations
• Steps for the future — with an announcement
3

4. Let’s talk about physical access
• If an attacker has physical access, they have everything, right?
• Cold Boot, Evil Maid, Jailbreak, etc.
• It only takes time
!
• Solution: Lock it up!
4

5. Let’s talk about physical access
• What about servers?
• Where are modern servers kept?
• Your own data center?
• A “physically secure” co-location facility?
• On a virtual machine in the cloud?
• On a globally-distributed CDN?
• Under which national jurisdiction?
5

6. Server Breaches Happen
• How long does it take to get your secrets?
• Reverse engineering skill of attacker
• Diminishing cost to attacker as skills and tools accumulate
!
• Wouldn’t it be great if there was a computational burden placed on the
attacker for every new secret?
• You could rotate your secrets on a fixed schedule
6

7. Standard Crypto Model (Black-box)
7
Alice Bob
adversary icons: Sam Small
Eve

8. Side-channel Attacks (Grey-box)
8
Alice Bob
adversary icons: Sam Small
Eve

9. White-box threat model
9
Alice Bob
adversary icons: Sam Small
Eve

10. White-box threat model
10
Aleve Bob
adversary icons: Sam Small

11. White-box Cryptography
• Cryptographic implementations that hide the key from everyone
• Attackers on the wire
• Attackers outside the house
• Attackers inside the house (evil maids included)
11

12. White-box cryptography
• Protection against key extraction in the strongest possible threat model
• Secures keys, not data
• White-box attackers no better off than black-box attackers
12

13. For Example
• Digital Rights Management
• The key protecting streams from Spotify, Netflix, etc.
• Decryption and consumption of content happens in a controlled way
• The attacker is the consumer “Aleve”
13

14. White-box cryptography
• History
• Invented in 2002 by Chow et al.
• Resurgence in academic attention in last two years — breaks, new constructions
• Work in progress
• No perfect white-boxes, only relatively strong ones
• General function obfuscator is not possible (Barak, 2001)
• Ciphers are not proven to be impossible to obfuscate
14

15. What does it get you?
• Attackers cannot transform the key into a known form
• Algorithm or code has to be lifted or leveraged
• Prevents BORE (break once run everywhere) attacks
• Can’t plug into standard cryptography libraries
• Nation-state attackers use specialized hardware
• Traitor tracing
• You can rotate keys on a schedule since cost to break is bounded
15

16. Which algorithms?
• Symmetric Key Cryptography
• DES
• AES
!
• Public Key Cryptography?
• RSA (maybe?)
• ECC (maybe?)
16

17. Example Implementation
• 128-bit AES
• 16 byte key, 16 byte message block
• What about replacing implementation with a lookup table?
• Map from input to output indexed by order
• Lookup table has minimal information about structure of algorithm — black box
• 2^128 possible inputs of size 128bit
• Storage of 5 x 10^27 terabytes — too much
17

18. Example Implementation
• AES Internals
• SubBytes — Byte-wise substitution
• ShiftRows — Permutation of bytes
• MixColumns — Linear combination of bytes
• AddRoundKeys — XOR a piece of the key
18

19. AES
19

20. Example Implementation
• AddRoundKey, SubBytes
• Can be merged into one operation — byte-wise lookup table called a T-box
• MixColumns
• Linear combination — byte-wise lookup table for constants
• Nibble-wise lookup tables for linear factors
• Lots of lookup tables can be combined
20

21. Internal Encoding
• Composition of functions
!
!
!
!
!
!
• Chaining random lookup tables
21

22. White-box compiler
• Inputs
• White box description
• Random seed
• Key value
• Output
• Implementation of encryption/decryption for given key
22
4663900

23. Costs
• Key size — Pre-scheduling causes key inflation
• Memory cost — Large lookup tables
• Performance cost — 5-10x in some cases
• Engineering cost — Integration, other anti-tampering techniques
23

24. In the industry
• Mostly licensed for digital rights management — $$$
• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)
!
• No commercial grade open source implementation
• An affordable solution is needed
24

25. Introducing Open WhiteBox
25

26. Introducing Open WhiteBox
• Group of individuals working to make white box cryptography accessible to the public
• Open source white box compiler (using LLVM)
• Working towards implementation of best current academic proposals
• Initial focus on server-side applications
!
• Participate in the conversation on Twitter @OpenWhiteBox
26

27. Questions?
BayThreat
December 6th, 2013
!
Nick Sullivan
@grittygrease
@OpenWhiteBox
27