White box cryptography
- 2. Attacker is assumed to have: Zero visibility on code during execution External information, such as plaintext or ciphertext Considered secure as long as the cipher has no cryptographic weaknesses
- 3. Attacker is assumed to have: Partial physical access to the cryptographic key as a result of the cipher leaking side-channel information Electromagnetic radiation analysis Current/power consumption analysis Operation timing analysis
- 4. Attacker is assumed to have: Full visibility — inputs, outputs, memory (using debuggers), and intermediate calculations Access to the algorithms while watching how they are carried out Traditional cryptography is not secure when running in a white-box model
- 5. Digital Rights Management Systems The end-user is then able to purchase some type of premium content (e.g., new GoT season) The content arrives at the user’s device encrypted, and is decrypted by the software as it is viewed A malicious end-user may attempt to extract cryptographic keys from the software and then use them to redistribute content outside the DRM system
- 6. Client-side web application. Web application forms some client-side queries to the backend A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities Common case W/ white-box crypto in JS
- 7. Generate for every key a fixed implementation, that will contain hard-coded key Hide hardcoded key so, that encrypt and decrypt operations maintain sensitive data without revealing any portions of the key Make the key extraction difficult or even impracticable
- 8. The Advanced Encryption Standard (AES) is a specification for the encryptionof electronic data established by the U.S. National Institute of Standards and Technology (NIST)
- 10. Each byte in the state matrix is replaced with a SubByte using an 8- bit substitution box This operation provides the non-linearity in the cipher. The S-box used is derived from the multiplicative inverse over GF(28) Known to have good non- linearity properties
- 11. Cyclically shifts the bytes in each row by a certain offset The importance of this step is to avoid the columns being linearly independent
- 12. Together with ShiftRows, MixColumns provides diffusion in the cipher Each column is treated as a polynomial over GF(28) and is then multiplied modulo x4+1 with a fixed polynomial c(x) = 3x3 + x2 + x + 2
- 13. For each round, a round key is derived from the main key using Rijndael's key schedule The subkey is added by combining each byte of the state with the corresponding byte of the subkey using bitwise XOR
- 14. Move 0 round key into the loop Swap SubBytes and ShiftRows operations (order of bytes affects only the order of substitutions not the result at all)
- 15. Combine AddShiftedRoudKey and SubBytes into Nr substitution tables (one for each round). Name such tables T- tables and will calculate them as following:
- 16. Since the MixColumns is a linear transformation, it can also be implemented using couple of tables
- 17. MixColumns step can be decomposed into an exclusive-or of four 32-bit values 4 x TyTables each with 256 entries (one for every possible byte value) XOR operation also could easily be implemented using substitution tables
- 18. More information can be found in §4 of A Tutorial on White-box AES by James Muir For more security Chow suggest to apply to the state in every round invertible mixing bijections and external encodings
- 19. Comics styled AES http://www.moserware.com/2009/09/stick-figure-guide-to-advanced.html Website with aggregated information about white-box cryptography http://www.whiteboxcrypto.com/ A Tutorial on White-box AES by James Muir https://ccsl.carleton.ca/~jamuir/papers/wb-aes-tutorial.pdf Some example implementations of White-box AES and attacks on it https://github.com/openwhitebox