Post on 30-Sep-2020
Challenges in White-Box Cryptography
Michaël P 1
1NXP Semiconductors
Early Symmetric Crypto 2015, Clervaux, January 12th, 2015
1 / 32
Introduc on
Outline
1 Introduc on
2 White-box cryptography
3 Challenges in white-box cryptography
2 / 32
Introduc on
Happy New Year 2015!
Why is the cryptographer against nuclear energy?
3 / 32
Introduc on
Happy New Year 2015!
Why is the cryptographer against nuclear energy?
Because he does not like collisions of course!
3 / 32
Introduc on
Symmetric cryptography in 2015
▶ We have a few block ciphers available▶ Pre AES era— (DES), Triple DES, IDEA, Blowfish, RC5...▶ AES— Rijndael, MARS, RC6, Serpent, Twofish.▶ Nessie— Camellia, MISTY1, SHACAL-2...
▶ We also need stream ciphers▶ Pre eStream era— A5/1, A5/2, SNOW 2.0/3G...▶ eStream—Grain, HC-128/256, Mickey, Rabbit, Salsa20/12, SOSEMANUK,
Trivium...▶ Let’s add some hash func ons...
▶ Pre SHA-3 era—MD5, RIPEMD-160, SHA-1, SHA-2, Whirlpool,(Radiogatún)...
▶ SHA3— Keccak, BLAKE, Grøstl, JH, Skein, (+2nd round candidates)▶ We also cover lightweight use cases
▶ CLEFIA, Noekeon, PRESENT, Photon, Prince, Simon...
( ... Sorry to anyone I forgot :-) )4 / 32
Introduc on
Symmetric cryptography in 2015
▶ We have a few block ciphers available▶ Pre AES era— (DES), Triple DES, IDEA, Blowfish, RC5...▶ AES— Rijndael, MARS, RC6, Serpent, Twofish.▶ Nessie— Camellia, MISTY1, SHACAL-2...
▶ We also need stream ciphers▶ Pre eStream era— A5/1, A5/2, SNOW 2.0/3G...▶ eStream—Grain, HC-128/256, Mickey, Rabbit, Salsa20/12, SOSEMANUK,
Trivium...▶ Let’s add some hash func ons...
▶ Pre SHA-3 era—MD5, RIPEMD-160, SHA-1, SHA-2, Whirlpool,(Radiogatún)...
▶ SHA3— Keccak, BLAKE, Grøstl, JH, Skein, (+2nd round candidates)▶ We also cover lightweight use cases
▶ CLEFIA, Noekeon, PRESENT, Photon, Prince, Simon...
( ... Sorry to anyone I forgot :-) )4 / 32
Introduc on
Symmetric cryptography in 2015
▶ We have a few block ciphers available▶ Pre AES era— (DES), Triple DES, IDEA, Blowfish, RC5...▶ AES— Rijndael, MARS, RC6, Serpent, Twofish.▶ Nessie— Camellia, MISTY1, SHACAL-2...
▶ We also need stream ciphers▶ Pre eStream era— A5/1, A5/2, SNOW 2.0/3G...▶ eStream—Grain, HC-128/256, Mickey, Rabbit, Salsa20/12, SOSEMANUK,
Trivium...▶ Let’s add some hash func ons...
▶ Pre SHA-3 era—MD5, RIPEMD-160, SHA-1, SHA-2, Whirlpool,(Radiogatún)...
▶ SHA3— Keccak, BLAKE, Grøstl, JH, Skein, (+2nd round candidates)▶ We also cover lightweight use cases
▶ CLEFIA, Noekeon, PRESENT, Photon, Prince, Simon...
( ... Sorry to anyone I forgot :-) )4 / 32
Introduc on
Symmetric cryptography in 2015
▶ We have a few block ciphers available▶ Pre AES era— (DES), Triple DES, IDEA, Blowfish, RC5...▶ AES— Rijndael, MARS, RC6, Serpent, Twofish.▶ Nessie— Camellia, MISTY1, SHACAL-2...
▶ We also need stream ciphers▶ Pre eStream era— A5/1, A5/2, SNOW 2.0/3G...▶ eStream—Grain, HC-128/256, Mickey, Rabbit, Salsa20/12, SOSEMANUK,
Trivium...▶ Let’s add some hash func ons...
▶ Pre SHA-3 era—MD5, RIPEMD-160, SHA-1, SHA-2, Whirlpool,(Radiogatún)...
▶ SHA3— Keccak, BLAKE, Grøstl, JH, Skein, (+2nd round candidates)▶ We also cover lightweight use cases
▶ CLEFIA, Noekeon, PRESENT, Photon, Prince, Simon...
( ... Sorry to anyone I forgot :-) )4 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next?
2015 NIST releases the SHA-3standard.
2018 2nd round candidates forCAESAR are known!
May 2021 NIST starts a newcompe on.
June 2021 The compe on ends andwinner is selected. Actuallythey just called Joan ;-).
2046 50th anniversary for TripleDES. S ll not broken.
Usage of Triple DES is approved un l 2030.
5 / 32
Introduc on
What to do next? Seriously...
▶ Fast and secure: Let’s call it done!▶ Three remaining axes:
Small box Lightweight crypto.Grey-box Built-in SCA &
fault-injec onresistance.
White-box So ware security.
6 / 32
Introduc on
What to do next? Seriously...
▶ Fast and secure: Let’s call it done!▶ Three remaining axes:
Small box Lightweight crypto.Grey-box Built-in SCA &
fault-injec onresistance.
White-box So ware security.⇑
Subject of this talk.
6 / 32
White-box cryptography
Outline
1 Introduc on
2 White-box cryptography
3 Challenges in white-box cryptography
7 / 32
White-box cryptography
Tradi onal Black-box model
Encryption / Decryption
Plaintext / Ciphertext Ciphertext / Plaintext
▶ Similar to Dolev-Yao’s a acker model for communica on networks.
8 / 32
White-box cryptography
But... cryptography is now everywhere!
▶ To secure communica one.g., email, web browsing...
▶ To secure digital assetse.g., digital right managements
▶ To secure datae.g., cloud storage, disk encryp on
▶ To secure financial transac onse.g., online payment, smart cards
▶ To secure our iden tye.g., Belgian e-ID card
It’s me to switch model...
9 / 32
White-box cryptography
Grey-box model
Encryption / Decryption
Plaintext / Ciphertext Ciphertext / Plaintext
Passive:• Time• Power• EM radiation
Active:• Inject faults• Modify hardware• Modify environment
▶ The industry has already started to integrate this model.▶ Both in the products but also in the cer fica on schemes
▶ Smart cards, secure elements...▶ Common Criteria, banking cer fica on...
10 / 32
White-box cryptography
Beyond the grey-box model
Virtual cards
CloudBanking
Transport DRM
eHealth
▶ We witness a shi from hardware toso ware.
▶ Rise of mobile applica ons requiringsecurity and cryptography.
▶ Banking applica ons...▶ Cloud storage, enterprise email...▶ DRM...
▶ Require protec on against▶ The , unlegi mate use, malwares...
▶ The grey-box model is insufficient inthis case.
11 / 32
White-box cryptography
White-box model
Encryption / Decryption
Plaintext / Ciphertext Ciphertext / Plaintext
• Static analysis• Dynamic analysis• Inspect memory
• Inject faults• Alter implementation
(Chow, Eisen, Johnson and van Oorschot, 2002)
▶ A acker has▶ full access to the cryptography algorithm,▶ full control over its execu on environment, and▶ unlimited amount of queries!
▶ Model is extremely favorable to the a acker and changes considerablythe way we think about cryptography⇒ white-box cryptography.
12 / 32
White-box cryptography
Why white-box cryptography?
Good
▶ No need for HW▶ Higher compa bility
across pla orms▶ Easy to update▶ Easy to distribute▶ Low cost▶ No huge investment
(cer fied factories)▶ Faster me to market▶ Extra features!
Bad
▶ No cer fica on scheme▶ Though security model▶ Slower, unprac cal?
13 / 32
White-box cryptography
Extra features
White-box implementa ons may offer extra features such asAsymmetry Turn a symmetric cipher into an asymmetric version, e.g.
by offering only an encrypt() API.Diversifica on Each implementa on may be diversified, even if using the
same key.Func on binding For instance, bind decryp on with authorisa on request.Pla orm binding Implementa on produces correct results only on a given
device.Traitor tracing Implementa on hides a fingerprint that can be revealed
remotely.
14 / 32
White-box cryptography
Commercial solu ons
▶ Several companies provide white-box cryptography solu ons▶ Arxan▶ Irdeto / Cloakware▶ Inside Secure / Metaforic▶ Philips▶ SafeNet▶ whiteCryp on
▶ These companies already use or plan to use white-box cryptographysolu ons
▶ Apple▶ Microso▶ NAGRA▶ Ne lix▶ Sony▶ ...
▶ Let’s see one example.15 / 32
White-box cryptography
Example: whiteCryp on
▶ whiteCryp on provides WB libraries with ECC, AES, DES, TDES, SHA...▶ Mul -Channel Finite Automata Code Transforma on (MCFACT).
MCFACT is based on composi on of finite automata.▶ Finite automata▶ Encoders▶ Automata composi on
▶ Security based on the difficulty to factor composi on of two (non-linear)automata (Bruce Schneier, 1996).
▶ Uses similar principles as finite automaton public-key cryptosystems(Renji Tao, Shihua Chen,1985).
16 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
White-box cryptography
Example: whiteCryp on
17 / 32
Challenges in white-box cryptography
Outline
1 Introduc on
2 White-box cryptography
3 Challenges in white-box cryptography
18 / 32
Challenges in white-box cryptography
On the security of white-box cryptography
▶ All white-box AES implementa ons published in the academic literaturehave been broken (De Mulder, 2014).
▶ This does not cover proprietary solu ons from commercial companies(Irdeto, Nagra, whiteCryp on, SafeNet).
▶ ... However, as of today, no (published) break-through with regard tosecure white-box techniques.
Ques on
Secure¹ white-box cryptography implementa on: chimera or reality?
¹i.e., as secure as black-/grey-box equivalent.19 / 32
Challenges in white-box cryptography
Two illustra ons of secure white-box implementa ons
The super look-up table!▶ This is 5× 1027TB for AES.▶ So “secure¹” but … imprac cal.
The unfathomable state machine!▶ A device we can’t analyze easily.▶ but cannot built … yet.
¹We’ll revisit this.20 / 32
Challenges in white-box cryptography
Two illustra ons of secure white-box implementa ons
The super look-up table!▶ This is 5× 1027TB for AES.▶ So “secure¹” but … imprac cal.
The unfathomable state machine!▶ A device we can’t analyze easily.▶ but cannot built … yet.
¹We’ll revisit this.20 / 32
Challenges in white-box cryptography
On the speed of white-box implementa on
▶ Let’s assume a “secure” WB implementa on is possible. This callsimmediately for the next ques on.
Ques on
Fast and secureWB crypto implementa on: chimera or reality?
▶ For instance, current WB-AES implementa ons apply speed-securitytradeoffs.
▶ Reuse S-box tables▶ Reuse internal encodings▶ ...
▶ Currently tradeoffs are more in favor of speed...
21 / 32
Challenges in white-box cryptography
On the speed of white-box implementa on
▶ Fast and secure? Thoughques on.
▶ Let’s ask Raymond...
▶ Ok... Let’s assume it’s feasible.▶ Assume we have at hand a fast
and secure WB-AESimplementa on.
▶ What can we do with it?
22 / 32
Challenges in white-box cryptography
On the speed of white-box implementa on
▶ Fast and secure? Thoughques on.
▶ Let’s ask Raymond...
▶ Ok... Let’s assume it’s feasible.▶ Assume we have at hand a fast
and secure WB-AESimplementa on.
▶ What can we do with it?
22 / 32
Challenges in white-box cryptography
On the speed of white-box implementa on
▶ Fast and secure? Thoughques on.
▶ Let’s ask Raymond...
▶ Ok... Let’s assume it’s feasible.▶ Assume we have at hand a fast
and secure WB-AESimplementa on.
▶ What can we do with it?
22 / 32
Challenges in white-box cryptography
Crypto nerds vs. reality
23 / 32
Challenges in white-box cryptography
Crypto nerds vs. reality – white-box version
The white-box lock The “$5 wrench”
A ackers:▶ always go for the weakest link.▶ are not respec ul.▶ have lot of imagina on.
24 / 32
Challenges in white-box cryptography
Keep the real target in mind!
▶ Keys are just necessary evils, they are not the actual assets.▶ To protect these assets, the implementa on must
▶ keep the key value secret, and▶ protect how the key is used.
▶ Remember: the a acker’s mo ve is not to extract the key value but toget what the key gives access to.
▶ Examples:
DRM apps ⇒ musics, movies...Banking apps ⇒ payment authorisa on, money...Secure vault ⇒ file content...
25 / 32
Challenges in white-box cryptography
A gradient of a acker’s targets
26 / 32
Challenges in white-box cryptography
Back to the white-box model
Application
Input Output
• Static analysis• Dynamic analysis• Inspect memory
• Inject faults• Alter implementation
▶ Froma secure white-box cryptography implementa on
toan implementa on that is secure in the white-box model.
▶ In the la er, the meaning of “secure” depends on both▶ the security objec ves, and▶ the a ack model.
27 / 32
Challenges in white-box cryptography
Secure in the white-box model?
Ques on
An implementa on that is secure in the WB model: chimera or reality?
▶ Most security systems must at least achieve the following objec ves:1. Confiden ality Done!2. Integrity3. Authorisa on4. An -replay5. Unclonability
▶ We can imagine how to provide integrity …▶ Authorisa on seems much harder (against an all-seeing a acker) …▶ As for an -replay and unclonability: no solu on yet…
Ques on
Is the model too strong? What are we missing to achieve these objec ves?28 / 32
Challenges in white-box cryptography
Secure in the white-box model?
Ques on
An implementa on that is secure in the WB model: chimera or reality?
▶ Most security systems must at least achieve the following objec ves:1. Confiden ality Done!2. Integrity3. Authorisa on4. An -replay5. Unclonability
▶ We can imagine how to provide integrity …▶ Authorisa on seems much harder (against an all-seeing a acker) …▶ As for an -replay and unclonability: no solu on yet…
Ques on
Is the model too strong? What are we missing to achieve these objec ves?28 / 32
Challenges in white-box cryptography
Secure in the white-box model?
Ques on
An implementa on that is secure in the WB model: chimera or reality?
▶ Most security systems must at least achieve the following objec ves:1. Confiden ality Done!2. Integrity3. Authorisa on4. An -replay5. Unclonability
▶ We can imagine how to provide integrity …▶ Authorisa on seems much harder (against an all-seeing a acker) …▶ As for an -replay and unclonability: no solu on yet…
Ques on
Is the model too strong? What are we missing to achieve these objec ves?28 / 32
Challenges in white-box cryptography
Is binding the (new) key?
“When the a acker has knowledge of the internal details of a (cryptographic)algorithm, the way how it is implemented is the sole remaining line of
defense.” (Chow et al., 2002)
▶ Use the same technique to provide the (missing) security objec ves.▶ The same applies for providing extra features.
▶ e.g., Authorisa on is typically a case of func on binding.
▶ Good white-box designs must then▶ Protect the value of cryptographic keys,▶ Be flexible enough to bind with other func ons.
29 / 32
Challenges in white-box cryptography
Learn the lessons from the grey-box model
▶ Remember, the white-box model gives the a acker▶ Full access to and▶ Full control over the execu on environment, and▶ unlimited amount of queries.
▶ This is a bargain for any grey-box a acker.▶ It seems that current design does not address this a ack vector.
Ques on
How to take into account the lessons we learned from grey-boximplementa ons?
30 / 32
Conclusions
Conclusions
▶ White-box cryptography is fun, interes ng and may offer cool extrafeatures.
▶ Commercial products and usage is growing.▶ Protec ng the key value is not enough.▶ No solu on yet to some core security objec ves.
▶ Is the model too strong?
▶ We must learn lessons from the grey-box model.
31 / 32
Ques ons
Ques ons?
Contact me atmichael-DOT-peeters-AT-nxp-DOT-com
DISCLAIMER: No WB design was hurt during the making of this presenta on.
32 / 32