towards practical whitebox cryptography optimizing
play

Towards(Practical(Whitebox Cryptography:( - PowerPoint PPT Presentation

Dec 24, 2022 •251 likes •766 views

Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov ,(Takanori Isobe and(Elmar Tischhauser DTU(and(Sony Hanoi,(Vietnam Asiacrypt16 5 December(2016 Motivation

  1. Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov ,(Takanori Isobe and(Elmar Tischhauser DTU(and(Sony Hanoi,(Vietnam Asiacrypt’16 5 December(2016

  2. Motivation • What(can(our(techniques(from(symmetricQkey( domain(say(about(whitebox primitives?( • Is(it(possible(to(attain(any(arguable(level(of( residual(security(in(the(whitebox setting?

  3. In(this(talk • Setting(and(Requirements • Applications • Existing(Whitebox Solutions • SPACEcipher :(AESQbased(Whitebox Block(Cipher • SPNbox :(Dedicated(Whitebox Block(Cipher • Implementations(in(the(Black(and(White(Boxes

  4. Part(1 IN'THE'WHITE'BOX

  5. Theory

  6. Theory:(Black(Box

  7. More(Realistic:(Grey(Box

  8. Practice:(White(Box

  9. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  10. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  11. Black(Box(vs(White(Box Black box White(box • Security mechanisms(invisible • Malware,(Trojans • Trustworthy(hardware(and( • Memory(leakage,(side(channels software • Critical(weaknesses in(OS(and • Computer(security(is(based(upon(( applications confidentiality(of(secret(key

  12. [P09] White(Box:(Attacker(in(Full(Control • What(the(whitebox attacker(can(do – Read(memory/registers – Memory(inspection – CPU(call(interception – Debugging – ReverseQengineering – Code(tampering – Cache(attacks – Inserting(breakQpoints – Force(a(system(crash – Modification(of(internal(variables – Dynamic(analysis(of(the(implementation – …

  13. White(Box:(Attacker(in(Full(Control • Adversarial(capacity – access(to(intermediate(states – access(to(memories – access(to(execution • Designer’s(goal – attain(some(residual(security • Important5note – We5cannot5protect5against5 every5adversary!

  14. White(Box:(Residual(Security • Weak'whitebox security • It is(difficult(to(recover(the( cipher’s(key • Strong'whitebox security • Weak(whitebox security + • It is(difficult(to(encrypt(given( decryption(functionality(in(WB • It is(difficult(to(decrypt(given( encryption(functionality(in(WB

  15. Part(2 APPLICATIONS

  16. Content(Distribution • DRM'in'the'cloud • Cloud(server(encrypts( for(devices • ConstantQtime(blackbox implementation(in(the( cloud • Whitebox implementation(on(the( device

  17. Host(Card(Emulation(in(CloudQbased( Mobile(Payments – HCE(enables(NFC(transactions(in(pure(software( – HCE(supported(from(Android(4.4(KitKat on

  18. Other(Applications • Authentication( • Mobile(banking • Governments(and(military • Protection(against(massQsurveillance((

  19. P A S S S S Table A Table Table S S S S Table Table A C Part(3 EXISTING'WHITEBOX'SOLUTIONS

  20. Traditional(Approach:(Tables • Whitebox(Implementation([C+02] – Encoded(table • Convert(computations(of(a(cipher((e.g.,(AES(and(DES)(into(tableQ based(ones(and(put(key(into(table(to(protect(it(from(WB(attacker( – External(encoding • Add(a(secret(permutation(in(the((beginning(and(end(of(the(cipher NonQlinear((secret) P linear((secret) secret(key S Table Table IN Q1 Dec OUT C’ P’ M Table Table linear((secret) Table NonQlinear((secret) C

  21. Traditional(Approach:(Tables • Whitebox AES(implementations – 8Qbit(table(based([C+02] – polynomial(equations(based([BCD06] – 16Qbit(table(based([XL09] – dual(AES(table based([K10] • Whitebox DES(implementation – 8Qbit(table(based([C+02]

  22. Traditional(Approach:(Tables All(published(WB(implementations(of(AES/DES(are(broken key(extraction • Whitebox implementations(of(AES • 8Qbit(table(based([C+02] – • table(decomposition Practical(attacks([BGE04][MGH08] • Polynomial(equations(based([BCD06] – P • Practical(attacks([M14] 16(bit(table(based([XL09] – Practical(attacks([MRP12] [MGH08] • – Dual(AES(tableQbased([K10] Table Practical(attacks([M14] • Table Whitebox implementation(of(DES • Table 8(bit(table(based([C+02] – Practical(attacks([W09] • Table Table Adhoc solutions,'limited'fundamental'base • C Most(implementations(are(insecure(even(in(gray(box • DPA(by(Ruhr(University(Bochum,(FSE’16 • DCA(by(NXP,(CHES’16 • DFA(by(Riscure from(BlackHat EU’15 •

  23. Dedicated(Approach:(ASASA • Dedicated(construction:(ASASA(construction([BBK14] – TableQbased(decompositionQhard(problem • A:(affine/linear(bijective(transform( • S:(nonlinear(bijective(transform( P A affine/linear S nonlinear S S S Table Table A Table S S S S Table Table A C

  24. Dedicated(Approach:(ASASA • Security – Hard(to(quantitatively(evaluate • Generic(attack:(nQbit(block((ASASA)(and(mQbit(SQbox – Time(to(compose(:(2 (nQm)m » If(m(=(8,(n(=(16(:(security(64(bits – Practically(broken • key(recovery([IDKL15,(MDFK15] • code(lifting(((decomposition(of(table)([IDKL15,(MDFK15] – At(least(12(layers(are(needed(to(attain(security([BK15] – The(underlying(problem(needs(more(analysis

  25. Existing(Approaches Summary(of(Practical(SymmetricQKey(Whitebox Proposals Blackbox Whitebox Key Recovery Distinguishing Key(Recovery( Decomposition WBQAES( Secure Secure Insecure( Insecure( [C+02](and( [BGE04] [BGE04] similar ASASA Secure? Secure? Insecure( Insecure [BBK14] [IDKL15,( [IDKL15,( MDFK15] MDFK15] Any(comparable(approach(with( some(security(in(the(whitebox?

  26. Challenge:( Robust(Whitebox Cryptography BB( • Key(recovery(security( security • Indistinguishability WB( • Key extraction(security security • Incompressibility • Compact and(fast(in(BB Efficiency • Efficient(in(WB

  27. F r Part(4 SPACE'CIPHER'(ACM'CCS’15):' AESRBASED'WHITEBOX BLOCK'CIPHER

  28. What(is(Different? Traditional'WB'solutions'[C+02] SPACEcipher and'others X 0 n a n(Q n a NonQlinear((secret) P P linear((secret) secret(key AES K S Table Table Table Table M n(Q n a n a Table Table disregard Table linear((secret) Table Table Table j NonQlinear((secret) C C y

  29. Design(Goals 1. Security(of(the(whitebox solution(relies(on(a( wellQanalyzed(problem key(recovery(problem(for(a(block(cipher,(e.g.(AES – 2. No(external(encoding executable(in(the(standQalone(manner(to(be( – applicable(in(a(wide(range(of(environments 3. Multiple(code((table)(sizes(if(needed Apply(differently(sized(tables(in(different(rounds –

  30. Security(Requirements • Security(in(the(black(box – Key'recovery resistance • computationally(hard(to(extract(a(key – Distinguishing'resistance • computationally(hard(to(distinguish(it(from(random(keyed(perm. • Security(in(the(white(box – Key'recovery resistance • computationally(hard(to(extract(a(key – Space'hardness'(decomposition'resistance) • computationally(hard(to(decompose(internal(component((table) – ( T / 2 ,5 128)Qspace(hardness – cf.((in)compressibility(in(SAC’13 – cf.(bigQkey(symmetric(encryption(in(CRYPTO’16(and(key(derivation(in(AC’16

  31. What(is(Space(Hardness? E.g.,(( T / 2 ,5 128)Qspace(hardness(: An(attacker(needs(to(obtain(at(least(half(of(the(total(table(size(to( compute(any(plaintext(or(ciphertext(with(probability(of(2 − 128 It(enables(us(to(quantitatively(evaluate(security(of(code(lifting( attacks(by(the(amount(of(required(code((table)(size(to(be( isolated(from(whiteQbox(environments(for(an(attacker.

  32. Unbalanced(TargetQHeavy Feistel Network • Block(size(:(n( • #branches:(l( • Size(of(each(line(:(n/l(bit( • Function((Table)(size:((n a to((n(– n a )(bits(( n(– n a bits n a bit( n a to((nQn a )(bit(function F r

  33. The(FQfunction • n a to((nQ n a )Qbit(function( – based(on(wellQanalyzed(block(cipher(E k X • e.g.,(AES,(PRESENT,(etc 0 – y(=(F r (X)(=(trunc nQna (E k (i ||(X))(^((j n a n(Q n a • i =(0,(j(=(r((excluded(from(table)( E K – Same(FQfunction(w/(round(constants( K (AESQ128) n(Q n a n a disregard j y trunc x (Y)((:((output(x(bit(of(Y(,(x(<(n

  34. Example:(SPACEcipherQX • 4(variants(with(differently(sized(FQfunctions

  35. Security(in(the(White(Box • Key(extraction(in(WB( – Relies(on(the(block(cipher(security(in(BB • What(an(WB(attacker(can(do(is(to(know/choose(input( and(output(of(table • A(subset(of(attacks(on(AES(possible(only(

  36. Security(in(the(White(Box • Space(hardness((decomposition) – ( T / 2 ,5 128)Qspace(hardness An(attacker(needs(to(obtain(at(least(half(of(the(total(table(size(to(( • compute(any(plaintext(or(ciphertext(with(probability(of(more(than(2 − 128 TradeQoff(between(M(and(T T(:(((total(table(size M:((code(isolated

  37. Security(in(the(Black(Box • Evaluation(against(distinguishing(attacks(

  38. Performance(in(white(box Target L1(cache L3(cache RAM HDD

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach

Public key cryptography: a practical Public key cryptography: a practical approach approach Israel Herraiz &lt;isra@herraiz.org&gt; &lt;israel.herraiz@upm.es&gt; KeyID FE0A7AF3 Fingerprint D0DA E915 BFDD E5CD 8BA0 B159 7E97 2ACB FE0A 7AF3

996 views • 43 slides
Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein

Implementing Practical leakage-resilient symmetric cryptography Daniel J. Bernstein University of Illinois at Chicago, Technische Universiteit Eindhoven CHES 2012 paper Practical leakage-resilient symmetric cryptography (Faust,

669 views • 30 slides
Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 ,

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Patrick Derbez Yet another attack on whitebox AES

626 views • 51 slides
Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of

Introduction Cryptography in P2P Systems A P2P Web Browsing System Comparison of Implementations in C Summary Practical Cryptography for a Peer-to-Peer Web Browsing System A. Pokluda Cheriton School of Computer Science University of

462 views • 21 slides
2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle

Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle

Optimizing Site Start-Up in Oncology Trials: Practical and Creative Strategies to Improve Cycle Time, Control Cost, and Maintain Quality Alicia Keenan Williams Sr. Project Manager MedSource provides support for complex clinical trials.

431 views • 22 slides
CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope,

CRYPTOLOGY WITH CRYPTOOL 1 Practical Introduction to Cryptography and Cryptanalysis Scope, Technology, and Future of CrypTool 1.4.xx Prof. Bernhard Esslinger and the CrypTool Team www.cryptool.org (Updated: 19 September 2017, with release CT

1.22k views • 121 slides
Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and

Practical white-box topics design and attacks part 1 Joppe W. Bos White-Box Cryptography and Obfuscation August 14, 2016, Santa-Barbara, California, USA 1. What to White-Box? Comply with current Standardized standards / protocols

651 views • 35 slides
OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft

OPTIMIZING BUILDS ON WINDOWS SOME PRACTICAL CONSIDERATIONS Alexandre Ganea, Ubisoft alexandre.ganea@ubisoft.com 2019 Bay Area LLVM Developers' Meeting, Oct.22-23 1 SUMMARY PART 1 PREAMBLE PART 2 EXPERIMENTS PART 3 PROPOSAL PART 4 NEXT

1.07k views • 58 slides
HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp;

HOST Cryptography I ECE 525 Cryptography Handbook of Applied Cryptography &amp; http://cseweb.ucsd.edu/users/mihir/cse207/ Brief History: Proliferation of computers and communication systems in 1960s brought with it a demand to protect

273 views • 24 slides
Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing

Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing

/INFOMOV/ Optimization &amp; Vectorization J. Bikker - Sep-Nov 2015 - Lecture 14: GPGPU (2) Welcome! Todays Agenda: Practical GPGPU: Verlet Fluid GPGPU Algorithms Optimizing GPU code INFOMOV Lecture 14

494 views • 48 slides
Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius

Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius

Securing Practical Quantum Cryptography with Optical Power Limiters Gong Zhang 1,* , Ignatius William Primaatmaja 2 , Jing Yan Haw 1 , Xiao Gong 1 , Chao Wang 1, , and Charles C.-W. Lim 1,2, * zhanggong@nus.edu.sg wang.chao@nus.edu.sg

856 views • 21 slides
Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao,

Optimizing Implementations of Linear Layers Zejun Xiang, Xiangyong Zeng, Da Lin, Zhenzhen Bao, Shasha Zhang Nov. 09, 2020 Lightweight Cryptography -Requirements -Primitives : SIMON SPECK Circuit size PRESENT, RECTANGLE

646 views • 22 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley &amp; MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M,

Karlstad University Basic Cryptography Ge Zhang What is Cryptography Cryptography Cryptosystem: 5-tuple (M, C, E, D, K) M: the set of plaintexts C: the set of ciphertexts E: M x K -&gt; C enciphering functions D: C x K

446 views • 40 slides
Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY

Intro to Cryptography Definitions Cryptography Cryptanalysis Cryptology CRYPTOGRAPHY Plaintext Cyphertext More definitions block cipher stream cipher hash function shared key public key digital signature

383 views • 16 slides
Meeting #5 Silver Spring Civic Building Silver Spring, Maryland December 2, 2015 6:30 pm to

Meeting #5 Silver Spring Civic Building Silver Spring, Maryland December 2, 2015 6:30 pm to

US 29 South Corridor Advisory Committee Meeting #5 Silver Spring Civic Building Silver Spring, Maryland December 2, 2015 6:30 pm to 9:00 pm Welcome Agenda: BRT Project Management Team Update .................................... 10 min

489 views • 44 slides
Nexi Capital S.p .p.A .A. In Investor Presentation Nexi xi Ca Capit ital l Notes No

Nexi Capital S.p .p.A .A. In Investor Presentation Nexi xi Ca Capit ital l Notes No

Nexi Capital S.p .p.A .A. In Investor Presentation Nexi xi Ca Capit ital l Notes No November 20 2018 18 Disclaimer IM IMPORTA TANT: T: You u mus ust t re read d th the f following ng before re cont ntinu nuing. No re

432 views • 27 slides
Locality Planning in the South Eastern Area Cathy Polley Ards Community Network &amp; Chair of

Locality Planning in the South Eastern Area Cathy Polley Ards Community Network &amp; Chair of

Locality Planning in the South Eastern Area Cathy Polley Ards Community Network &amp; Chair of the Ards and North Down Locality Planning Group What is locality planning? Bring together community, voluntary and statutory agencies

320 views • 14 slides
Future Options and Recommendations for Our Island Home and Senior Citizen Related Services Our

Future Options and Recommendations for Our Island Home and Senior Citizen Related Services Our

Future Options and Recommendations for Our Island Home and Senior Citizen Related Services Our Island Home Work Group July 2013 The Work Group met from October 2012 thru June 2013 to complete its analysis and formulate its recommendations

460 views • 8 slides
LEGISLATIVE BUDGET BOARD LEGISLATIVE BUDGET BOARD Report on the Hazlewood Exemption Legislative

LEGISLATIVE BUDGET BOARD LEGISLATIVE BUDGET BOARD Report on the Hazlewood Exemption Legislative

LEGISLATIVE BUDGET BOARD LEGISLATIVE BUDGET BOARD Report on the Hazlewood Exemption Legislative Policy Report SUBMITTED TO THE 84 TH TEXAS LEGISLATURE PREPARED BY LEGISLATIVE BUDGET BOARD STAFF DECEMBER 2014 Report on the Hazlewood Exemption

507 views • 49 slides
CMO Peter Sackey CFO Maria Engstrm 22nd of August 2019 Disclaimer Forward-looking statements

CMO Peter Sackey CFO Maria Engstrm 22nd of August 2019 Disclaimer Forward-looking statements

Interim Report Q2 2019 Presentation CEO Christer Ahlberg CMO Peter Sackey CFO Maria Engstrm 22nd of August 2019 Disclaimer Forward-looking statements This presentation may contain certain forward-looking statements and forecasts based on

581 views • 24 slides
Towards Sustainable Energy and Transport Systems: Examples from around the World Kristin Deason,

Towards Sustainable Energy and Transport Systems: Examples from around the World Kristin Deason,

Towards Sustainable Energy and Transport Systems: Examples from around the World Kristin Deason, Ph. D. Caribbean Lead Global Green Growth Institute at a Glance Helping developing country governments transition towards a model of economic

580 views • 19 slides
Payment Instruments, Payment Instruments, Payment Instruments, Payment Instruments, Financial

Payment Instruments, Payment Instruments, Payment Instruments, Payment Instruments, Financial

Payment Instruments, Payment Instruments, Payment Instruments, Payment Instruments, Financial Privacy Financial Financial Financial Privacy Privacy Privacy and Online Purchases and Online Purchases and Online Purchases and Online

244 views • 22 slides

More recommend