White-box cryptography aims to protect cryptographic primitives and keys in software implementations even when the adversary has a full control to the execution environment and an access to the implementation of the cryptographic algorithm. It combines mathematical transformation with obfuscation techniques so it’s not just obfuscation on a data and a code level but actually algorithmic obfuscation.
In the white-box implementation, cryptographic keys are mathematically transformed so that never revealed in a plain form, even during execution of cryptographic algorithms. With such security in the place, it becomes extremely difficult for attackers to locate, modify, and extract the cryptographic keys. Although all current academic white-box implementations have been practically broken by various attacks including table-decomposition, power analysis attack, and fault injection attacks, There are no published reports of successful attacks against commercial white-box implementations to date. When I have assessed Commercial white box implementations to check if they were vulnerable to previous attacks, I found out that previous attacks failed to retrieve a secret key protected with the commercial white-box implementation. Consequently, I modified side channel attacks to be available in academic literature and succeeded in retrieving a secret key protected with the commercial white-box cryptography implementation. This is the first report that succeeded to recover secret key protected with commercial white-box implementation to the best of my knowledge in this industry. In this talk, I would like to share how to recover the key protected with commercial white-box implementation and present security guides on applying white-box cryptography to services more securely.
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Key recovery attacks against commercial white-box cryptography implementations by Sanghwan Ahn
1. The Key Recovery Attacks against Commercial
White-box cryptography Implementations
Sanghwan Ahn | LINE Corporation
CodeBlue 2017 —Tokyo — Nov 7, 2017
2. About me
• Ahn Sanghwan(@h2spice)
• LINE corporation
• Senior security engineer
• Security research and development
• SecuInside 2013 “How to find vulnerability in software”
• Intertrust and LINE Security summit, KimchiCon, PacSec, CodeBlue,
HITCON 2017 “Key recovery attacks against commercial white-box
cryptography implementations”
3. Outline
• Introduction
• White-box Cryptography(WBC)
• Existing attacks against published white-box implementations
• Attacks against commercial white-box Implementations
• Conclusion
8. • Binary is completely visible to an attacker
• Attacker has full access to the cryptography algorithm
• Attacker has full control over its execution environment
• Unlimited amount of queries
• Static Analysis
• Code Analysis(reverse engineering)
• Dynamic Analysis
• Debugging
• DBI(dynamic binary instrumentation)
White-box threat model
9. • Trusted execution environment(TEE)
• ARM Trustzone, Intel SGX, AMD Memory Encryption
• It’s almost safe, but not many supported devices
(mostly latest devices)
• White-box cryptography(WBC)
• All academic WBC solutions have been broken.
• No attack has been observed to date on commercial WBC
Solutions for white-box threat model
Virtual
Black box
14. Table based AES implementation
T-Box
XOR Table
ShiftRows
AddRoundKey
SubByte
MixColumns
Data flow for round one of table based AES 128 implementation, 2-9 rounds are the same.
18. WB-AES implementation - internal encoding
XOR Table
XOR Table
Internal Decoding
it cancels encoding in the previous round
T’Box
Internal Encoding
it will be canceled in the next round
T’Box transformed
With Mixing Bijection
it will be canceled in the next transformation
Data flow for second round of table based AES 128 implementation.
19. WB-AES implementation - external encoding
First
round
Input
Sender
White-box
Decode
the input Final
round
Encode
the output
Output
Receiver
Decode the output
Encode
the input
23. Possible attacks : table-decomposition
Ciphertext
Plaintext
WBC
f(…)
Table decomposition
function
24. Possible attacks : power analysis
Ciphertext
Plaintext
WBC
Recode intermediate
computation result
And then compare it
and simulated data
ShiftRows
SubBytes
MixColumns
AddRoundKey
Ciphertext
PlaintextKey
Simulator
25. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Power analysis on the hardware
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
26. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Power analysis on the hardware
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
27. Typical example of a portion of a serialized software trace of stack writes in an WBAES-128, with only two possible values: 0 or 1
Power analysis on the software
Reference : Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
28. The correlation between the sensitive data and the power consumption for the 256 key guesses for a single byte
Correlation power analysis(CPA)
Reference : W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010
29. The correlation between the sensitive data and the power consumption for the 256 key guesses for 16 byte
Correlation power analysis(CPA)
Reference : W. Hnath, J. Pettengill, “Differential Power Analysis Side-Channel Attacks in Cryptography,” Major Qualifying Project, Worcester Polytechnic Institute, April 2010
30. Possible attacks : fault analysis
Faulty Ciphertext
(incorrect result)
Plaintext
WBC
Ciphertext(correct result)
Plaintext
WBC
1. Modify
intermediate data
2. Record changes to the output
3, Compare incorrect result and correct result
31. Differential fault analysis(DFA)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumns
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
⊕
⊕
=
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
32. Differential fault analysis(DFA)
87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
E7 00 00 00
00 00 00 51
00 00 47 00
00 99 00 00
Error
⊕
⊕
⊕= =
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumns
33. 87 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
After ShiftRow9
99 F2 4D 97
6E 4C 90 EC
46 E7 4A C3
A6 8C D8 95
Fault injected ‘1E’
AC 19 28 57
77 FA D1 5C
66 DC 29 00
F3 21 41 6E
K9
D7 59 8B 1B
5E 2E A1 C3
EC 38 13 42
3C 84 E7 D2
After AddRoundKey9
0E CB 3D AF
58 31 32 2E
CE 07 7D 2C
EB 5F 94 B5
After SubBytes10
0E CB 3D AF
31 32 2E 58
7D 2C CE 07
B5 EB 5F 94
After ShiftRows10
D0 C9 E1 B6
14 EE 3F 63
F9 25 0C 0C
A8 89 C8 A6
K10
DE 02 DC 19
25 DC 11 3B
84 09 C2 0B
1D 62 97 32
Output with faults
39 02 DC 19
25 DC 11 6A
84 09 85 0B
1D FB 97 32
Output without fault
⊕
⊕
⊕= =
Differential fault analysis(DFA)
E7 00 00 00
00 00 00 51
00 00 47 00
00 99 00 00
Error
Input = ’3243F6A8885A308D313198A2E0370734’
Cipher Key =’2B7E151628AED2A6ABF7158809CF4F3C’
Output= ’3925841D02DC09FBDC118597196A0B32’
Reference : P. Dusart, G. Letourneux and O. Vivolo, “Differential Fault Analysis on A.E.S.,” Cryptology ePrint Archive of IACR, No. 010, 2003
7B 40 43 4C
29 D4 70 9F
8A E4 3A 42
CF A5 A6 BC
After Mixcolumns
34. Secret Key
4A 32 4D 72 39 33 33 6C
61 54 4E 6B 32 4D 4A 30
WB Engine
Protected Key
49 D8 AD DC 2B AE 89 D1
EE 67 D0 5F CB F3 5C 07
35 2D B4 93 F1 63 D8 51
DC 58 BB DA E0 9A 60 0B
11 6E 12 15 B9 53 0E 66
F6 34 98 43 AC 80 7D F7
DA 02 DF 95 66 21 AE B4
5F 9E 7F 13 75 35 C3 95
5B D6 7A 81 4E 75 7D 55
56 CE 47 69 32 5A 5E D8
12 15 DA E0 2D 2B AE D8
…
Commercial white-box implementation
35. Secret Key
4A 32 4D 72 39 33 33 6C
61 54 4E 6B 32 4D 4A 30
WB Engine
Protected Key
49 D8 AD DC 2B AE 89 D1
EE 67 D0 5F CB F3 5C 07
35 2D B4 93 F1 63 D8 51
DC 58 BB DA E0 9A 60 0B
11 6E 12 15 B9 53 0E 66
F6 34 98 43 AC 80 7D F7
DA 02 DF 95 66 21 AE B4
5F 9E 7F 13 75 35 C3 95
5B D6 7A 81 4E 75 7D 55
56 CE 47 69 32 5A 5E D8
12 15 DA E0 2D 2B AE D8
…
It's very difficult to recover protected key to plain key
Commercial white-box implementation
36. • Side channel attacks
• Correlation Power analysis (CPA)
• Differential Fault Analysis (DFA)
• Control flow visualization
White-box cryptanalysis — existing research
References
- Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
- Paul Bottinelli and Joppe W. Bos - Computational Aspects of Correlation Power Analysis
- Eloi Sanfelix, Cristofaro Mune, Job de Haas - Unboxing The White-Box: Practical Attacks Against Obfuscated Ciphers
37. Typical example of a (hardware) power trace of an unprotected AES-128 implementation (one can observe the ten rounds)
Cryptographic primitive
Reference : Kevin Meritt, “Differential Power Analysis attacks on AES”
38. White-box cryptanalysis — existing research
• Side channel attacks
• Correlation Power analysis (CPA)
• Differential Fault Analysis (DFA)
• Control flow visualization
References
- Joppe W. Bos et al. - Differential Computation Analysis: Hiding your White-Box Designs is Not Enough
- Paul Bottinelli and Joppe W. Bos - Computational Aspects of Correlation Power Analysis
- Eloi Sanfelix, Cristofaro Mune, Job de Haas - Unboxing The White-Box: Practical Attacks Against Obfuscated Ciphers
51. Taint analysis for simple-cipher
0x4200986: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34AE: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34B3: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34B8: (in /lib/i386-linux-gnu/libc-2.21.so)
0x42B34BD: (in /lib/i386-linux-gnu/libc-2.21.so)
…
0x8181ABA: (in Commercial-SimpleWB-AES)
0x8181AC4: (in Commercial-SimpleWB-AES)
0x8181ACC: (in Commercial-SimpleWB-AES)
0x8181AD0: (in Commercial-SimpleWB-AES)
0x8181AE0: (in Commercial-SimpleWB-AES)
0x8181AE4: (in Commercial-SimpleWB-AES)
0x8181AEE: (in Commercial-SimpleWB-AES)
0x8181AF2: (in Commercial-SimpleWB-AES)
0x8181B04: (in Commercial-SimpleWB-AES)
0x8181B08: (in Commercial-SimpleWB-AES)
0x8181B10: (in Commercial-SimpleWB-AES)
0x8181B14: (in Commercial-SimpleWB-AES)
0x8181B24: (in Commercial-SimpleWB-AES)
0x8181B28: (in Commercial-SimpleWB-AES)
0x8181B32: (in Commercial-SimpleWB-AES)
…
Cryptographic
primitive
71. The way to use WBC safer in apps
• No single key for everything
• No hardcoded key(protected key)
• No static IV
• External encoding
• Asymmetric crypto algorithm based on WBC
• RSA, Elliptic curves, Diffie–Hellman
• Tamper resistant embedded integrity checksums
• Cryptographic key device binding
• device identifier + user identifier + external identifier(e,g, pin, biometric)
73. Future works
• White-box version of crypto libraries
• Retrieve a master key embedded white-box engine
• Since the vulnerabilities have already been fixed,
I will focus on finding other vulnerability.
74. Thank you
if you have any question, feel free to contact me
e-mail : h2spice@gmail.com
facebook, twitter : @h2spice