In this talk, we discuss white box cryptography, a technique used to protect cryptographic keys from a local attacker. In keeping with the theme of building and breaking security, we will discuss the challenges involved in building a white-box crypto system.
2. My Background
• Systems Engineering at CloudFlare
• Cryptography at Apple
• Threat analysis at Symantec
• M.Sc. in Cryptography
• Undergraduate Pure Mathematics
!2
3. What this talk is about
• Introduction to white-box cryptography
• Why we need this now more than ever
• Key concepts for implementations
• Steps for the future — with an announcement
!3
4. Let’s talk about physical access
• If an attacker has physical access, they have everything, right?
• Cold Boot, Evil Maid, Jailbreak, etc.
• It only takes time
!
• Solution: Lock it up!
!4
5. Let’s talk about physical access
• What about servers?
• Where are modern servers kept?
• Your own data center?
• A “physically secure” co-location facility?
• On a virtual machine in the cloud?
• On a globally-distributed CDN?
• Under which national jurisdiction?
!5
6. Server Breaches Happen
• How long does it take to get your secrets?
• Reverse engineering skill of attacker
• Diminishing cost to attacker as skills and tools accumulate
!
• Wouldn’t it be great if there was a computational burden placed on the
attacker for every new secret?
• You could rotate your secrets on a fixed schedule
!6
11. White-box Cryptography
• Cryptographic implementations that hide the key from everyone
• Attackers on the wire
• Attackers outside the house
• Attackers inside the house (evil maids included)
!11
12. White-box cryptography
• Protection against key extraction in the strongest possible threat model
• Secures keys, not data
• White-box attackers no better off than black-box attackers
!12
13. For Example
• Digital Rights Management
• The key protecting streams from Spotify, Netflix, etc.
• Decryption and consumption of content happens in a controlled way
• The attacker is the consumer “Aleve”
!13
14. White-box cryptography
• History
• Invented in 2002 by Chow et al.
• Resurgence in academic attention in last two years — breaks, new constructions
• Work in progress
• No perfect white-boxes, only relatively strong ones
• General function obfuscator is not possible (Barak, 2001)
• Ciphers are not proven to be impossible to obfuscate
!14
15. What does it get you?
• Attackers cannot transform the key into a known form
• Algorithm or code has to be lifted or leveraged
• Prevents BORE (break once run everywhere) attacks
• Can’t plug into standard cryptography libraries
• Nation-state attackers use specialized hardware
• Traitor tracing
• You can rotate keys on a schedule since cost to break is bounded
!15
16. Which algorithms?
• Symmetric Key Cryptography
• DES
• AES
!
• Public Key Cryptography?
• RSA (maybe?)
• ECC (maybe?)
!16
17. Example Implementation
• 128-bit AES
• 16 byte key, 16 byte message block
• What about replacing implementation with a lookup table?
• Map from input to output indexed by order
• Lookup table has minimal information about structure of algorithm — black box
• 2^128 possible inputs of size 128bit
• Storage of 5 x 10^27 terabytes — too much
!17
18. Example Implementation
• AES Internals
• SubBytes — Byte-wise substitution
• ShiftRows — Permutation of bytes
• MixColumns — Linear combination of bytes
• AddRoundKeys — XOR a piece of the key
!18
20. Example Implementation
• AddRoundKey, SubBytes
• Can be merged into one operation — byte-wise lookup table called a T-box
• MixColumns
• Linear combination — byte-wise lookup table for constants
• Nibble-wise lookup tables for linear factors
• Lots of lookup tables can be combined
!20
22. White-box compiler
• Inputs
• White box description
• Random seed
• Key value
4663900
• Output
• Implementation of encryption/decryption for given key
!22
23. Costs
• Key size — Pre-scheduling causes key inflation
• Memory cost — Large lookup tables
• Performance cost — 5-10x in some cases
• Engineering cost — Integration, other anti-tampering techniques
!23
24. In the industry
• Mostly licensed for digital rights management — $$$
• Practical breaks (marcan42, Alberto Battistello, Phrack Magazine)
!
• No commercial grade open source implementation
• An affordable solution is needed
!24
26. Introducing Open WhiteBox
• Group of individuals working to make white box cryptography accessible to the public
• Open source white box compiler (using LLVM)
• Working towards implementation of best current academic proposals
• Initial focus on server-side applications
!
• Participate in the conversation on Twitter @OpenWhiteBox
!26