Two Attacks on a White-Box AES Implementation Tancrède Lepoint 1,2 , Matthieu Rivain 1 , Yoni De Mulder 3 , Peter Roelse 4 , and Bart Preneel 3 1 CryptoExperts, France { tancrede.lepoint,matthieu.rivain } @cryptoexperts.com 2 ´ Ecole Normale Sup´ erieure, France 3 KU Leuven and iMinds, Belgium { yoni.demulder,bart.preneel } @esat.kuleuven.be 4 Irdeto B.V., The Netherlands peter.roelse@irdeto.com SAC 2013, Vancouver, Canada August 15th, 2013
What is White-Box Cryptography ?
White-Box Cryptography ‣ focuses on the software implementation of cryptographic primitives executed in an untrusted environment. ‣ aims at protecting the embedded secret cryptographic key; it has the objective that the white-box implementation behaves as a “virtual black box” : ‣ a white-box adversary may not have any advantage over a black-box attacker, i.e., he is unable to extract any more key information than he could extract under a black-box attack (oracle access to the WB implementation).
m/c m/c - debug - reverse engineer adversary adversary - inspect memory E k ( · ) E k ( · ) D k ( · ) D k ( · ) - inject faults - alter implementation c/m c/m black-box model white-box model • Black-box attacker: • White-box attacker: ‣ only has access to the input/output ‣ h a s f u l l a c c e s s t o t h e s o f twa r e implementation of the cryptographic behavior of the cryptographic algorithm. algorithm. ‣ has no visibility into its execution. ‣ has full control over its execution environment. ‣ has the goal to extract the secret cryptographic key ( key recovery ).
When the attacker has knowledge of the internal structure of a cryptographic primitive, the way how it is implemented is the sole remaining line of defense . ‣ S-box Blanking Attack [Kerins and Kursawe, 2006] x r − 1 x r − 1 S 0 ⊕ ⊕ k w k w x r = S ( x r − 1 ) ⊕ k w x r = 0 ⊕ k w = k w
Use case: a (very) simplified DRM model User’s Playback Device Remote Content Provider WB Impl. E k ( m ) m m E k D k E k ( m ) k Lic YES NO License Lic License Verifier Generator player EVE The trusted digital media player (containing the WB implementation) is • deployed in an untrusted environment (the end-user’s playback device). • The goal of a malicious behaving end-user is to extract the secret decryption key out of the decryption routine in order to: ‣ decrypt the encrypted content while circumventing the License Verification ‣ distribute the key to non-authorized end-users
White-Box AES Implementation
State-of-the-Art
Perturbated White-box AES White-box AES Implementation Implementation Chow, Eisen, Johnson, van Oorschot [2002] Bringer, Chabanne, Dottax [2006] De Mulder, Wyseur and Preneel [2010] Billet, Gilbert and White-box AES Implementation Ech-Chatbi [2004] based on Wide Linear Encodings Xiao and Lai [2009] De Mulder, Roelse and Preneel [2012] Generic Class White-box AES Implementation Michiels, Gorissen and Hollmann [2008] based on Dual Ciphers of AES Karroumi [2010]
Perturbated White-box AES White-box AES Implementation Implementation Chow, Eisen, Johnson, van Oorschot [2002] Bringer, Chabanne, Dottax [2006] De Mulder, Wyseur and Preneel [2010] Billet, Gilbert and White-box AES Implementation Ech-Chatbi [2004] based on Wide Linear Encodings Xiao and Lai [2009] a new attack based on collision De Mulder, Roelse and Preneel [2012] Generic Class White-box AES Implementation Michiels, Gorissen and Hollmann [2008] based on Dual Ciphers of AES Karroumi [2010]
Aspects of Chow’s White-Box AES Implementation
Descriptions of AES-128 Conventional way: Used for WB AES: 1. for r from 1 to 9: 1. AddRoundKey ( K (1) ); ( 2. for r from 1 to 9: (a) ShiftRows; ( Round 1-9 ^ (b) AddRoundKey ( K (r) ); (a) SubBytes; Round 1-9 (c) SubBytes; (b) ShiftRows; (d) MixColumns; (c) MixColumns; 2. ShiftRows; ( (d) AddRoundKey ( K (r+1) ); ( ^ 3. SubBytes; 3. AddRoundKey ( K (10) ); Round 10 Round 10 4. SubBytes; 4. ShiftRows; 5. AddRoundKey ( K (11) ). 5. AddRoundKey ( K (11) ).
AES Subround 8 8 8 8 ⊕ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) 0 1 2 3 for r from 1 to 9: S S S S (a) ShiftRows; (b) AddRoundKey ( K (r) ); MixColumns (c) SubBytes; 2 3 ‘02’ ‘03’ ‘01’ ‘01’ (d) MixColumns; 6 7 ‘01’ ‘02’ ‘03’ ‘01’ 6 7 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ 8 8 8 8 for 0 ≤ j ≤ 3 and 1 ≤ r ≤ 9
Encoded AES Subround the naive version the generic version 8 8 8 8 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 8 8 8 8 0 1 2 3 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) Π ( r,j ) 0 1 2 3 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 0 1 2 3 1 2 0 3 S S S S S S S S MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 ‘01’ ‘02’ ‘03’ ‘01’ 6 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 2 0 1 2 3 Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 8 8 8 8 0 1 2 3 8 8 8 8 new attack (collisions) BGE attack
Revisiting the BGE Attack
‣ obtain the output encodings up to an a ffi ne part BGE Attack ‣ the same for the input through round r-1 Phase 1 ^ Q ( r − 1 ,j 0 ) i 0 8 8 8 8 8 8 8 8 ^ ^ ^ ^ P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 0 1 2 3 Π ( r,j ) Π ( r,j ) 1 1 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 0 1 2 3 1 2 0 3 S S S S S S S S Phase 1 MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) Π ( r,j ) 2 2 ^ ^ ^ ^ Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8
‣ fully recover the a ffi ne output encodings and the key- BGE Attack dependent a ffi ne input encodings Phase 2 ‣ fully recover the a ffi ne input encodings through round r-1 ^ Q ( r − 1 ,j 0 ) ^ Q ( r − 1 ,j 0 ) i 0 i 0 8 8 8 8 ^ ^ ^ ^ 8 8 8 8 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 P ( r,j ) P ( r,j ) P ( r,j ) P ( r,j ) 0 1 2 3 Π ( r,j ) 1 ⊕ ¯ ⊕ ⊕ ⊕ k ( r,j ) k ( r,j ) k ( r,j ) k ( r,j ) ¯ ¯ ¯ ⊕ ⊕ ⊕ ⊕ 0 1 2 3 k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) k ( r, π ( r ) ( j )) 8 8 8 8 1 2 0 3 S S S S Phase 2 with MixColumns [ k ( r, π ( r ) ( j )) k ( r,j ) ] 0 ≤ i ≤ 3 = ( Π ( r,j ) [¯ ) − 1 � � ] 0 ≤ i ≤ 3 2 3 1 i i ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r,j ) 2 8 8 8 8 ^ ^ ^ ^ Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) Q ( r,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8
Original Improved BGE Attack BGE Attack [Tolhuizen, 2012] Phase 1: 2 19 2 30 Phase 2: 2 29 2 22 Phase 3: no given work factor ‣ apply Phases 1 and 2 to rounds r ‣ apply Phases 1 and 2 only to round r to obtain the r th round key and r+1 to obtain the round keys ‣ relate both round keys via: ‣ a new method to obtain the ( r+1 ) th 2 18 1. the white-box implementation round key ‣ an e ffi cient method to determine 2. the AES key scheduling algorithm the correct order of the round keys 2 13 total work factor: 2 30 total work factor: 2 22
‣ obtain the ( r+1 ) th round key BGE Attack ‣ correctness: is non-a ffi ne for � c ⊕ S − 1 ( x ) � S Phase 3 all non-zero values of c k ⊕ S − 1 ( x ) 0 0 0 8 8 8 8 P ( r +1 ,j ) P ( r +1 ,j ) P ( r +1 ,j ) P ( r +1 ,j ) 0 1 2 3 8 8 8 8 ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ ⊕ k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) k ( r +1 ,j ) ¯ ¯ ¯ ¯ ¯ ¯ ¯ ¯ 0 1 2 3 0 1 2 3 S S S S S S S S Π ( r +1 ,j ) Π ( r +1 ,j ) a ffi ne? 1 1 Phase 3 MixColumns MixColumns 2 3 2 3 ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ 6 7 6 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 6 ‘01’ ‘02’ ‘03’ ‘01’ 7 4 5 4 5 ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘03’ ‘01’ ‘01’ ‘02’ ‘03’ ‘01’ ‘01’ ‘02’ Π ( r +1 ,j ) Π ( r +1 ,j ) 2 2 ^ ^ ^ ^ Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) Q ( r +1 ,j ) 0 1 2 3 0 1 2 3 8 8 8 8 8 8 8 8
New Attack based on Collisions
Recommend
More recommend