Embed Size (px)
Citation preview
Denis Kolegov, Nikita Oleksov, Oleg Broslavsky Tomsk State University
Information Security and Cryptography Department
White-Box HMAC Make your cryptography secure to white-box attacks
May 17-18, Moscow
Attacker is assumed to have:
Zero visibility on code during execution
External information, such as plaintext or ciphertext
Considered secure as long as the cipher has no cryptographic weaknesses
2
Attacker is assumed to have:
Partial physical access to the cryptographic key as a result of the cipher leaking side-channel information Electromagnetic radiation analysis
Current/power consumption analysis
Operation timing analysis
3
Attacker is assumed to have:
Full visibility — inputs, outputs, memory (using debuggers), and intermediate calculations
Access to the algorithms while watching how they are carried out
Traditional cryptography is not secure when running in a white-box model
4
Digital Rights Management Systems The end-user is then able to purchase some
type of premium content (e.g., new GoT season)
The content arrives at the user’s device encrypted, and is decrypted by the software as it is viewed
A malicious end-user may attempt to extract cryptographic keys from the software and then use them to redistribute content outside the DRM system
5
Client-side web application Web application forms some client-side
queries to the backend
A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities
Common case W/ white-box crypto in JS 6
Generate for every key a fixed implementation, that will contain hard-coded key
Hide hardcoded key so, that encrypt and decrypt operations maintain sensitive data without revealing any portions of the key
Make the key extraction difficult or even impracticable
7
The Advanced Encryption Standard (AES) is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) 8
9
The Advanced Encryption Standard (AES) is a specification for the encryptionof electronic data established by the U.S. National Institute of Standards and Technology (NIST) 10
All that functions could be easily implemented
using substitution tables
11
Long story short…
More information can be found in §4 of A Tutorial on White-box AES
by James Muir
For more security Chow suggest to apply to the state in every round
invertible mixing bijections and external
encodings
12
Client-side web application. Web application forms some client-side
queries to the backend
A malicious user may attempt to form malicious queries and exploit some backend vulnerabilities
Common case W/ white-box crypto in JS
We need keyed-hashes!
13
2 common ways to build a keyed-hash
Use a block cipher Use HMAC scheme
Easy to use: just turn on CBC-MAC mode
Mb slower than pure hash Possibly short block size
Easy to compute
Lots of possible hashes
Fast
14
HMACK(m) = hash[(K ⊕ opad) || h(K ⊕ ipad || m)]
Construction scheme:
Common hash calculation scheme:
15
Each round of hash changes inner hash variables. Saving its’ states give us a possibility to continue hash calculations
>>> import md5 >>> m =md5.new() >>> m.update("Nobody inspects") >>> m.update(" the spammish repetition") >>> m.digest()
'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9‘
>>> md5.new("Nobody inspects the spammish repetition").digest()
'\xbbd\x9c\x83\xdd\x1e\xa5\xc9\xd9\xde\xc9\xa1\x8d\xf0\xff\xe9'
Gives the same as
16
Both keyed parts are located at the first
hash block
HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
17
HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
IV f
K ⊕ opad
SO IV f
K ⊕ ipad
Si
Save inner states of hashing algorithm after the first block for the key padded with opad and with ipad
18
Si f
m
So f
h(K ⊕ ipad || m)
hmac
HMACK(m) = h [(K ⊕ opad) || h(K ⊕ ipad || m)]
Common hash-function realization
Hard-coded states used as IV
19
Implementation of such white-box HMAC scheme using any cryptographic of hash function requires only minimal changes in hash function code and no changes in the common template
20
Si
So
https://github.com/tsu-iscd/jcrypto
Implementation of White-box AES128-CTR and HMAC-SHA256 in JavaScript language
RFC 4231 test vectors
NIST test vectors
Another custom tests (e.g. jsSHA test vectors)
21
Oleg Broslavsky
@yalegko
Nikita Oleksov
@NEOleksov
22
Denis Kolegov
@dnkolegov
