![HMACK(m) = hash[(K ⊕ opad) || h(K ⊕ ipad || m)]
Construction scheme:
Common hash calculation scheme:
15](https://image.slidesharecdn.com/phd-ys-white-boxhmac-160520161931/85/White-Box-HMAC-Make-your-cipher-secure-to-white-box-attacks-15-320.jpg)
![Both keyed parts are
located at the first
hash block
HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
17](https://image.slidesharecdn.com/phd-ys-white-boxhmac-160520161931/85/White-Box-HMAC-Make-your-cipher-secure-to-white-box-attacks-17-320.jpg)
![HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
IV f
K ⊕ opad
SO IV f
K ⊕ ipad
Si
Save inner states of hashing algorithm after the first block for
the key padded with opad and with ipad
18](https://image.slidesharecdn.com/phd-ys-white-boxhmac-160520161931/85/White-Box-HMAC-Make-your-cipher-secure-to-white-box-attacks-18-320.jpg)
![Si f
m
So f
h(K ⊕ ipad || m)
hmac
HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
Common hash-
function realization
Hard-coded states
used as IV
19](https://image.slidesharecdn.com/phd-ys-white-boxhmac-160520161931/85/White-Box-HMAC-Make-your-cipher-secure-to-white-box-attacks-19-320.jpg)
White-Box HMAC. Make your cipher secure to white-box attacks.
- 1. Denis Kolegov, Nikita Oleksov, Oleg Broslavsky Tomsk State University Information Security and Cryptography Department White-Box HMAC Make your cryptography secure to white-box attacks May 17-18, Moscow
- 2. Attacker is assumed to have: Zero visibility on code during execution External information, such as plaintext or ciphertext Considered secure as long as the cipher has no cryptographic weaknesses 2
- 3. Attacker is assumed to have: Partial physical access to the cryptographic key as a result of the cipher leaking side-channel information Electromagnetic radiation analysis Current/power consumption analysis Operation timing analysis 3
- 4. Attacker is assumed to have: Full visibility — inputs, outputs, memory (using debuggers), and intermediate calculations Access to the algorithms while watching how they are carried out Traditional cryptography is not secure when running in a white-box model 4
- 5. Digital Rights Management Systems The end-user is then able to purchase some type of premium content (e.g., new GoT season) The content arrives at the user’s device encrypted, and is decrypted by the software as it is viewed A malicious end-user may attempt to extract cryptographic keys from the software and then use them to redistribute content outside the DRM system 5
- 6. Client-side web application Web application forms some client-side queries to the backend A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities Common case W/ white-box crypto in JS 6
- 7. Generate for every key a fixed implementation, that will contain hard-coded key Hide hardcoded key so, that encrypt and decrypt operations maintain sensitive data without revealing any portions of the key Make the key extraction difficult or even impracticable 7
- 8. The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) 8
- 9. 9
- 10. The Advanced Encryption Standard (AES) is a specification for the encryptionof electronic data established by the U.S. National Institute of Standards and Technology (NIST) 10 All that functions could be easily implemented using substitution tables
- 12. More information can be found in §4 of A Tutorial on White-box AES by James Muir For more security Chow suggest to apply to the state in every round invertible mixing bijections and external encodings 12
- 13. Client-side web application. Web application forms some client-side queries to the backend A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities Common case W/ white-box crypto in JS We need keyed-hashes! 13
- 14. 2 common ways to build a keyed-hash Use a block cipher Use HMAC scheme Easy to use: just turn on CBC-MAC mode Mb slower than pure hash Possibly short block size Easy to compute Lots of possible hashes Fast 14
- 15. HMACK(m) = hash[(K ⊕ opad) || h(K ⊕ ipad || m)] Construction scheme: Common hash calculation scheme: 15
- 16. Each round of hash changes inner hash variables. Saving its’ states give us a possibility to continue hash calculations >>> import md5 >>> m =md5.new() >>> m.update("Nobody inspects") >>> m.update(" the spammish repetition") >>> m.digest() 'xbbdx9cx83xddx1exa5xc9xd9xdexc9xa1x8dxf0xffxe9‘ >>> md5.new("Nobody inspects the spammish repetition").digest() 'xbbdx9cx83xddx1exa5xc9xd9xdexc9xa1x8dxf0xffxe9' Gives the same as 16
- 17. Both keyed parts are located at the first hash block HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)] 17
- 18. HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)] IV f K ⊕ opad SO IV f K ⊕ ipad Si Save inner states of hashing algorithm after the first block for the key padded with opad and with ipad 18
- 19. Si f m So f h(K ⊕ ipad || m) hmac HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)] Common hash- function realization Hard-coded states used as IV 19
- 20. Implementation of such white-box HMAC scheme using any cryptographic of hash function requires only minimal changes in hash function code and no changes in the common template 20 Si So
- 21. https://github.com/tsu-iscd/jcrypto Implementation of White-box AES128-CTR and HMAC-SHA256 in JavaScript language RFC 4231 test vectors NIST test vectors Another custom tests (e.g. jsSHA test vectors) 21
- 22. Oleg Broslavsky ovbroslavsky@gmail.com @yalegko Nikita Oleksov neoleksov@gmail.com @NEOleksov 22 Denis Kolegov dnkolegov@gmail.com @dnkolegov