towards practical whitebox cryptography optimizing
play

Towards(Practical(Whitebox Cryptography:( - PowerPoint PPT Presentation

Dec 24, 2022 •251 likes •766 views

Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov ,(Takanori Isobe and(Elmar Tischhauser DTU(and(Sony Hanoi,(Vietnam Asiacrypt16 5 December(2016 Motivation

  1. Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov ,(Takanori Isobe and(Elmar Tischhauser DTU(and(Sony Hanoi,(Vietnam Asiacrypt’16 5 December(2016

  2. Motivation • What(can(our(techniques(from(symmetricQkey( domain(say(about(whitebox primitives?( • Is(it(possible(to(attain(any(arguable(level(of( residual(security(in(the(whitebox setting?

  3. In(this(talk • Setting(and(Requirements • Applications • Existing(Whitebox Solutions • SPACEcipher :(AESQbased(Whitebox Block(Cipher • SPNbox :(Dedicated(Whitebox Block(Cipher • Implementations(in(the(Black(and(White(Boxes

  4. Part(1 IN'THE'WHITE'BOX

  5. Theory

  6. Theory:(Black(Box

  7. More(Realistic:(Grey(Box

  8. Practice:(White(Box

  9. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  10. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  11. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  12. [P09] White(Box:(Attacker(in(Full(Control • What(the(whitebox attacker(can(do – Read(memory/registers – Memory(inspection – CPU(call(interception – Debugging – ReverseQengineering – Code(tampering – Cache(attacks – Inserting(breakQpoints – Force(a(system(crash – Modification(of(internal(variables – Dynamic(analysis(of(the(implementation – …

  13. White(Box:(Attacker(in(Full(Control • Adversarial(capacity – access(to(intermediate(states – access(to(memories – access(to(execution • Designer’s(goal – attain(some(residual(security • Important5note – We5cannot5protect5against5 every5adversary!

  14. White(Box:(Residual(Security • Weak'whitebox security • It is(difficult(to(recover(the( cipher’s(key • Strong'whitebox security • Weak(whitebox security + • It is(difficult(to(encrypt(given( decryption(functionality(in(WB • It is(difficult(to(decrypt(given( encryption(functionality(in(WB

  15. Part(2 APPLICATIONS

  16. Content(Distribution • DRM'in'the'cloud • Cloud(server(encrypts( for(devices • ConstantQtime(blackbox implementation(in(the( cloud • Whitebox implementation(on(the( device

  17. Host(Card(Emulation(in(CloudQbased( Mobile(Payments – HCE(enables(NFC(transactions(in(pure(software( – HCE(supported(from(Android(4.4(KitKat on

  18. Other(Applications • Authentication( • Mobile(banking • Governments(and(military • Protection(against(massQsurveillance((

  19. P A S S S S Table A Table Table S S S S Table Table A C Part(3 EXISTING'WHITEBOX'SOLUTIONS

  20. Traditional(Approach:(Tables • Whitebox(Implementation([C+02] – Encoded(table • Convert(computations(of(a(cipher((e.g.,(AES(and(DES)(into(tableQ based(ones(and(put(key(into(table(to(protect(it(from(WB(attacker( – External(encoding • Add(a(secret(permutation(in(the((beginning(and(end(of(the(cipher NonQlinear((secret) P linear((secret) secret(key S Table Table IN Q1 Dec OUT C’ P’ M Table Table linear((secret) Table NonQlinear((secret) C

  21. Traditional(Approach:(Tables • Whitebox AES(implementations – 8Qbit(table(based([C+02] – polynomial(equations(based([BCD06] – 16Qbit(table(based([XL09] – dual(AES(table based([K10] • Whitebox DES(implementation – 8Qbit(table(based([C+02]

  22. Traditional(Approach:(Tables All(published(WB(implementations(of(AES/DES(are(broken key(extraction • Whitebox implementations(of(AES • 8Qbit(table(based([C+02] – • table(decomposition Practical(attacks([BGE04][MGH08] • Polynomial(equations(based([BCD06] – P • Practical(attacks([M14] 16(bit(table(based([XL09] – Practical(attacks([MRP12] [MGH08] • – Dual(AES(tableQbased([K10] Table Practical(attacks([M14] • Table Whitebox implementation(of(DES • Table 8(bit(table(based([C+02] – Practical(attacks([W09] • Table Table Adhoc solutions,'limited'fundamental'base • C Most(implementations(are(insecure(even(in(gray(box • DPA(by(Ruhr(University(Bochum,(FSE’16 • DCA(by(NXP,(CHES’16 • DFA(by(Riscure from(BlackHat EU’15 •

  23. Dedicated(Approach:(ASASA • Dedicated(construction:(ASASA(construction([BBK14] – TableQbased(decompositionQhard(problem • A:(affine/linear(bijective(transform( • S:(nonlinear(bijective(transform( P A affine/linear S nonlinear S S S Table Table A Table S S S S Table Table A C

  24. Dedicated(Approach:(ASASA • Security – Hard(to(quantitatively(evaluate • Generic(attack:(nQbit(block((ASASA)(and(mQbit(SQbox – Time(to(compose(:(2 (nQm)m » If(m(=(8,(n(=(16(:(security(64(bits – Practically(broken • key(recovery([IDKL15,(MDFK15] • code(lifting(((decomposition(of(table)([IDKL15,(MDFK15] – At(least(12(layers(are(needed(to(attain(security([BK15] – The(underlying(problem(needs(more(analysis

  25. Existing(Approaches Summary(of(Practical(SymmetricQKey(Whitebox Proposals Blackbox Whitebox Key Recovery Distinguishing Key(Recovery( Decomposition WBQAES( Secure Secure Insecure( Insecure( [C+02](and( [BGE04] [BGE04] similar ASASA Secure? Secure? Insecure( Insecure [BBK14] [IDKL15,( [IDKL15,( MDFK15] MDFK15] Any(comparable(approach(with( some(security(in(the(whitebox?

  26. Challenge:( Robust(Whitebox Cryptography BB( • Key(recovery(security( security • Indistinguishability WB( • Key extraction(security security • Incompressibility • Compact and(fast(in(BB Efficiency • Efficient(in(WB

  27. F r Part(4 SPACE'CIPHER'(ACM'CCS’15):' AESRBASED'WHITEBOX BLOCK'CIPHER

  28. What(is(Different? Traditional'WB'solutions'[C+02] SPACEcipher and'others X 0 n a n(Q n a NonQlinear((secret) P P linear((secret) secret(key AES K S Table Table Table Table M n(Q n a n a Table Table disregard Table linear((secret) Table Table Table j NonQlinear((secret) C C y

  29. Design(Goals 1. Security(of(the(whitebox solution(relies(on(a( wellQanalyzed(problem key(recovery(problem(for(a(block(cipher,(e.g.(AES – 2. No(external(encoding executable(in(the(standQalone(manner(to(be( – applicable(in(a(wide(range(of(environments 3. Multiple(code((table)(sizes(if(needed Apply(differently(sized(tables(in(different(rounds –

  30. Security(Requirements • Security(in(the(black(box – Key'recovery resistance • computationally(hard(to(extract(a(key – Distinguishing'resistance • computationally(hard(to(distinguish(it(from(random(keyed(perm. • Security(in(the(white(box – Key'recovery resistance • computationally(hard(to(extract(a(key – Space'hardness'(decomposition'resistance) • computationally(hard(to(decompose(internal(component((table) – ( T / 2 ,5 128)Qspace(hardness – cf.((in)compressibility(in(SAC’13 – cf.(bigQkey(symmetric(encryption(in(CRYPTO’16(and(key(derivation(in(AC’16

  31. What(is(Space(Hardness? E.g.,(( T / 2 ,5 128)Qspace(hardness(: An(attacker(needs(to(obtain(at(least(half(of(the(total(table(size(to( compute(any(plaintext(or(ciphertext(with(probability(of(2 − 128 It(enables(us(to(quantitatively(evaluate(security(of(code(lifting( attacks(by(the(amount(of(required(code((table)(size(to(be( isolated(from(whiteQbox(environments(for(an(attacker.

  32. Unbalanced(TargetQHeavy Feistel Network • Block(size(:(n( • #branches:(l( • Size(of(each(line(:(n/l(bit( • Function((Table)(size:((n a to((n(– n a )(bits(( n(– n a bits n a bit( n a to((nQn a )(bit(function F r

  33. The(FQfunction • n a to((nQ n a )Qbit(function( – based(on(wellQanalyzed(block(cipher(E k X • e.g.,(AES,(PRESENT,(etc 0 – y(=(F r (X)(=(trunc nQna (E k (i ||(X))(^((j n a n(Q n a • i =(0,(j(=(r((excluded(from(table)( E K – Same(FQfunction(w/(round(constants( K (AESQ128) n(Q n a n a disregard j y trunc x (Y)((:((output(x(bit(of(Y(,(x(<(n

  34. Example:(SPACEcipherQX • 4(variants(with(differently(sized(FQfunctions

  35. Security(in(the(White(Box • Key(extraction(in(WB( – Relies(on(the(block(cipher(security(in(BB • What(an(WB(attacker(can(do(is(to(know/choose(input( and(output(of(table • A(subset(of(attacks(on(AES(possible(only(

  36. Security(in(the(White(Box • Space(hardness((decomposition) – ( T / 2 ,5 128)Qspace(hardness An(attacker(needs(to(obtain(at(least(half(of(the(total(table(size(to(( • compute(any(plaintext(or(ciphertext(with(probability(of(more(than(2 − 128 TradeQoff(between(M(and(T T(:(((total(table(size M:((code(isolated

  37. Security(in(the(Black(Box • Evaluation(against(distinguishing(attacks(

  38. Performance(in(white(box Target L1(cache L3(cache RAM HDD

Recommend

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach Israel Herraiz &lt;isra@herraiz.org&gt; &lt;israel.herraiz@upm.es&gt; KeyID FE0A7AF3 Fingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF3

996 views • 43 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Patrick Derbez Yet another attack on whitebox AES

626 views • 51 slides
Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Introduction Cryptography in P2P Systems A P2P Web Browsing System Comparison of Implementations in C Summary Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of Computer Science University of

462 views • 21 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle

Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle

Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle Time, Control Cost, and Maintain Quality Alicia Keenan Williams Sr. Project Manager MedSource provides support for complex clinical trials.

431 views • 22 slides
CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope, Technology, and Future of CrypTool 1.4.xx Prof. Bernhard Esslinger and the CrypTool Team www.cryptool.org (Updated: 19 September 2017, with release CT

1.22k views • 121 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft alexandre.ganea@ubisoft.com 2019 Bay Area LLVM Developers' Meeting, Oct.22-23 1 SUMMARY PART 1 PREAMBLE PART 2 EXPERIMENTS PART 3 PROPOSAL PART 4 NEXT

1.07k views • 58 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing

Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2015 - Lecture 14: GPGPU (2) Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing GPU code INFOMOV Lecture 14

494 views • 48 slides
Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius

Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius

Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius William Primaatmaja 2 , Jing Yan Haw 1 , Xiao Gong 1 , Chao Wang 1, , and Charles C.-W. Lim 1,2, * zhanggong@nus.edu.sg wang.chao@nus.edu.sg

856 views • 21 slides
Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao, Shasha Zhang Nov. 09, 2020 Lightweight Cryptography -Requirements -Primitives : SIMON SPECK Circuit size PRESENT, RECTANGLE

646 views • 22 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley &amp; MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -&gt; C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do?

PQCRYPTO Summer School on Post-Quantum Cryptography 2017 Stefan Klbl June 20th, 2017 DTU Compute, Technical University of Denmark Symmetric Key Cryptography Introduction to Symmetric Key Cryptography What can we do? Authentication

711 views • 47 slides
IR IRIS IS+ | The generally accepted system for measuring, managing and optimizing impact Key

IR IRIS IS+ | The generally accepted system for measuring, managing and optimizing impact Key

IR IRIS IS+ | The generally accepted system for measuring, managing and optimizing impact Key features of IRIS+ include: Core Metrics Sets to increase data clarity and comparability Streamlined evidence base, research, practical how-to

177 views • 4 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

453 views • 11 slides
Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and

Cryptography Cryptography Concepts and Terminology Security Concepts Cryptography Concepts and Terminology Cryptography Concepts Cryptography Notation and Terminology Cryptography School of Engineering and Technology CQUniversity

322 views • 11 slides
Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy

Uses of Cryptography What can we use cryptography for? Lots of things Secrecy Authentication Prevention of alteration Lecture 4 Page 1 CS 236 Online Cryptography and Secrecy Pretty obvious Only those knowing the

303 views • 15 slides
Optimizing re me dia tio n a ppro a c he s Optimizing re me dia tio n a ppro a c he s a t mine

Optimizing re me dia tio n a ppro a c he s Optimizing re me dia tio n a ppro a c he s a t mine

Optimizing re me dia tio n a ppro a c he s Optimizing re me dia tio n a ppro a c he s a t mine site s: ho w unde rsta nding b io g e o c he mic a l pro c e sse s a nd b io g e o c he mic a l pro c e sse s a nd mo de ling c a n g uide

394 views • 26 slides
Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but

Cryptography Modern cryptography was born in 1970s when computationally easy-to-verify but hard-to-solve problems were discovered. Computational Complexity, by Fu Yuxi Cryptography 1 / 75 Cryptography is closely related to some

785 views • 76 slides
Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information:

Quantum Cryptography Lecture 28 Quantum Cryptography Quantum Cryptography Quantum information: Using microscopic physical state of quantum systems (spin of atoms/sub-atomic particles, polarization of photons etc.) to encode information

1.95k views • 154 slides

More recommend