Documente Academic
Documente Profesional
Documente Cultură
Financial
Transport
Asymmetric cryptography
Digital signatures
Identification
Public-key encryption
Recreational
…
3 4
? D
1$ Yves
5 6
1
5/03/2009
7 8
Entropy Attack (Shamir and Van Someren, 1999, [167]) Key Whitening Attack (Kerins and Kursawe, 2006 [104])
Implementation attack on k
11 12
2
5/03/2009
Ek E
Dk !@#%%&
13 14
E
k
Applications (Chapter 5)
Links with diverse related techniques
Development of practical solutions in software security
15 16
Overview Overview
Introduction Introduction
White-box security assessment White-box security assessment
White-box implementations (Chapter 3) White-box implementations
Formal model and (im)possibility result (Chapter 4) Formal model and (im)possibility result
Applications and related research domains (Chapter 5) Applications and related research domains
Conclusions and future work Conclusions and future work
17 18
3
5/03/2009
08 C1 EE 18 33 78
08 0F B6 C6 33 3C
85 80 50 14 95 80
4C 00 08 C1 E8 45
08 C1 EE 18 33 78 D8 C1 E9 10 0F B6
08 0F B6 C6 33 3C
85 80 50 14 95 80 C9 C4 89 49 54 0F
4D C1 9C 8B 14 95
E 4C 00 08 C1 E8 45
? D8
C9
C1
C4
E9
89
10
49
0F
54
B6
0F
5D
D0
CC
85
C1
D4
E8
55
18
94
7D
E3
4D C1 9C 8B 14 95 6C 0F 8B 5D 1C 5F
5D CC C1 E8 18 7D
D0 85 D4 55 94 E3
6C 0F 8B 5D 1C 5F
Idea:
Spread key information on the entire network
Make every building block seemingly independent from the key.
Goal: Effort of analysis ≥ BB attack Objective: force an adversary to analyze the complete network in order to
Ideal: Implement the cipher as one big lookup table obtain secret key information force to resort to black-box attacks.
Techniques: partial evaluation, by-pass encoding, matrix decomposition, etc.
19 20
Improved variant
Deployed to analyze white-box implementations at the
Cryptanalysis
Goubin et al. 2007
‘edges’ of the implementation (first/last round)
Cryptanalysis In this dissertation: a new strategy of truncated
Wyseur et al. 2007 Generic Cryptanalysis
Michiels et al. 2008 differential cryptanalysis on the internal rounds (hence
Truncated differential cryptanalysis
independent from external protections)
basic building
23 block analysis 24
4
5/03/2009
Cryptanalysis of White-Box DES Impl. Cryptanalysis of WBDES (2) (Wyseur et al., 2007 [191])
25 26
x0 f0-1
g y
Q x1 f1-1
27 28
approach to cryptanalysis the DES and AES PR-CPA (plaintext recovery under analysis defeats non-linearity
chosen plaintext attack) is much of these networks
implementations.
more interesting in practice
29 30
5
5/03/2009
31 32
33 34
35 36
6
5/03/2009
Our approach to capture WBC (2) Negative results (Saxena and Wyseur, 2008 [165])
(1k, sn) (1k, O(Qi), sn)
For any non learnable family Q, there exist a non-
Black-box game White-box game
context obfuscatable security notion (this is stronger than Barak
et al., 2001)
A A
s s
WIN? WIN? (1k, sn) (1k, O(Q), sn)
meaning b b
Q[q] Q[q]
Q1[q1] Q1[q1]
notion, if q
37 38
Q[q] Q[q]
Win: if (s=x) and ‘not more Win: if (s=x) and ‘not more
Q1[q1] Q1[q1]
than one query to Q1’ O(Q[q])
WIN? WIN? than one query to Q1’
BB adversary – how to find
x?
Q1[q1] (input Y) { Guess x – prob: 2-k Q1[q1] (input Y) { WB adversary – how to find
If (Y(a) = Q[q](a)) then Guess a – prob: 2-P(k) If (Y(a) = Q[q](a)) then x?
output x Guess q – prob: 2-k output x Use the code O(Q[q]) as Y
else output 0 } Luck else output 0 }
Black-box advantage: White-box advantage:
39 40
Proof of impossibility result (3) Positive result (Saxena and Wyseur, 2008 [165])
41 42
7
5/03/2009
Overview Applications
Introduction Application domains Related techniques
New and improved cryptographic
White-box security assessment primitives
Asymmetric cryptography
(Programmable) random oracle model
White-box implementations
Enforce (with) hardware Improve side-channel protection techniques
Formal model and (im)possibility result
43 44
47 48
8
5/03/2009
Q&A
Thank you.
49