yet another attack on whitebox aes implementation
play

Yet another attack on whitebox AES implementation Patrick Derbez 1 , - PowerPoint PPT Presentation

Mar 04, 2024 •103 likes •626 views

Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Patrick Derbez Yet another attack on whitebox AES

  1. Yet another attack on whitebox AES implementation Patrick Derbez 1 , Pierre-Alain Fouque 1 , Baptiste Lambin 1 , Brice Minaud 2 1 Univ Rennes, CNRS, IRISA 2 Royal Holloway University of London Patrick Derbez Yet another attack on whitebox AES implementation 1 / 31

  2. Introduction 1 The Baek, Cheon and Hong proposal 2 Dedicated Attack 3 Generic attack 4 Patrick Derbez Yet another attack on whitebox AES implementation 2 / 31

  3. Introduction Introduction 1 The Baek, Cheon and Hong proposal 2 3 Dedicated Attack Generic attack 4 Patrick Derbez Yet another attack on whitebox AES implementation 3 / 31

  4. Introduction Black box vs. White box Black box model in AES K out Patrick Derbez Yet another attack on whitebox AES implementation 4 / 31

  5. Introduction Black box vs. White box Black box model White box model in in key = 0x1337. . . key schedule(key) AES K out = in for i in 0. . .10 round i(out,key) return out out out Patrick Derbez Yet another attack on whitebox AES implementation 4 / 31

  6. Introduction White box implementation Attacker: • extracting key information from the implementation in • computing decryption scheme from encryption scheme key = 0x1337. . . key schedule(key) Designer: out = in • provide sound and secure imple- for i in 0. . .10 mentation round i(out,key) return out Main application: • Digital Rights Management out • Fast (post-quantum ) public-key encryption scheme Patrick Derbez Yet another attack on whitebox AES implementation 5 / 31

  7. Introduction Two main design strategies Table lookup First proposal by Chow et al. in 2002: broken Xiao and Lai in 2009: broken Karroumi et al. in 2011: broken Baek et al. in 2016: our target WhiteBlock from Fouque et al. : secure (but weird model) ASASA-like designs SASAS construction: broken in 2001 by Biryukov et al. ASASA proposals (Biryukov et al. , 2014): broken Recent proposals at ToSC’17 by Biryukov et al. to use more layers, leading to SA. . . SAS Patrick Derbez Yet another attack on whitebox AES implementation 6 / 31

  8. Introduction CEJO Framework Derived from Chow et al. first white-box candidate constructions. Block cipher decomposed into R round functions. Round functions obfuscated using encodings. Obfuscated round functions implemented and evaluated using several tables (of reasonable size) · · · ◦ f ( r +1) − 1 ◦ E ( r ) ◦ f ( r ) ◦ f ( r ) − 1 ◦ E ( r − 1) ◦ f ( r − 1) ◦ . . . � �� � � �� � table table Increase security with external encodings Patrick Derbez Yet another attack on whitebox AES implementation 7 / 31

  9. Introduction Baek et al. ’s toolbox Proposed by Baek, Cheon and Hong in 2016. Toolbox dedicated to SPN under CEJO framework Generic method to recover non-linear part of encodings Generic algorithm to recover the linear component of encodings Finding non-linear part not higher than recovering linear part New AES white-box construction Based on CEJO framework Parallel AES Resisting their toolbox (110 bits of security) Our target Patrick Derbez Yet another attack on whitebox AES implementation 8 / 31

  10. The Baek, Cheon and Hong proposal Introduction 1 The Baek, Cheon and Hong proposal 2 3 Dedicated Attack Generic attack 4 Patrick Derbez Yet another attack on whitebox AES implementation 9 / 31

  11. The Baek, Cheon and Hong proposal The Baek, Cheon and Hong proposal Round function of AES : AES ( r ) = MC ◦ SR ◦ SB ◦ ARK 256-bit 256-bit A ( r ) A ( r ) K ( r ) K ( r ) ⇒ AES ( r ) AES ( r ) S . . . S S . . . S table � A ( r +1) � − 1 MC ◦ SR MC ◦ SR M ( r ) � A ( r +1) � − 1 256-bit 256-bit Patrick Derbez Yet another attack on whitebox AES implementation 10 / 31

  12. The Baek, Cheon and Hong proposal Sparse input encoding       A 0 , 0 A 0 , 1 x 0 a 0 x 1 a 1 A 1 , 1 A 1 , 2     ⊕   A ( x ) = . .  ... ...  . . . . x 31 a 31 A 31 , 0 A 31 , 31 M = A − 1 ◦ MC ◦ SR 1 Split M in columns blocks of size 8 s.t. M = ( M 0 | . . . | M 31 ) � 31 2 M . x = M i . x i i =0 3 16-bit to 256-bit mappings: F i = M i ◦ S ◦ ⊕ ( k i ⊕ a i ) ◦ ( A i , i , A i , i +1 ) 4 Round function: 31 � F ( r ) ( x 0 , . . . , x 31 ) = F i ( x i , x i +1 ) i =0 Patrick Derbez Yet another attack on whitebox AES implementation 11 / 31

  13. The Baek, Cheon and Hong proposal Complexity Time complexity R AES rounds: 32 R table lookups + 31 R xor of 256-bits words. For R = 10: 320 table lookups + 310 xor of 256-bit words. Very fast Memory requirement R AES rounds: 32 R 16-bit to 256-bit mappings. For R = 10: 320 16-bit to 256-bit mappings ≈ 160MB Patrick Derbez Yet another attack on whitebox AES implementation 12 / 31

  14. The Baek, Cheon and Hong proposal Issue 16-bit to 256-bit mappings: F i = M i ◦ S ◦ ⊕ ( k i ⊕ a i ) ◦ ( A i , i , A i , i +1 ) Remark F i ( x , 0) = M i ◦ S ◦ ⊕ ( k i ⊕ a i ) ◦ A i , i ( x ) is a 8-bit to 256-bit mapping. Composing with right projection ⇒ affine equivalent to AES Sbox. Patrick Derbez Yet another attack on whitebox AES implementation 13 / 31

  15. The Baek, Cheon and Hong proposal Issue 16-bit to 256-bit mappings: F i = M i ◦ S ◦ ⊕ ( k i ⊕ a i ) ◦ ( A i , i , A i , i +1 ) Remark F i ( x , 0) = M i ◦ S ◦ ⊕ ( k i ⊕ a i ) ◦ A i , i ( x ) is a 8-bit to 256-bit mapping. Composing with right projection ⇒ affine equivalent to AES Sbox. � 2 25 � Possible to recover affine mappings in O using the affine equivalence algorithm from Biryukov et al. . Patrick Derbez Yet another attack on whitebox AES implementation 13 / 31

  16. The Baek, Cheon and Hong proposal Affine Equivalence Algorithm In 2003, Biryukov, De Canni` ere, Braeken and Preneel proposed an algorithm to solve the following problem: Given two bijections S 1 and S 2 on n bits, find affine mappings A and B such that S 2 = B ◦ S 1 ◦ A , if they exist. Ascertain whether such mappings exist Enumerate all solutions � n 3 2 2 n � Time complexity in O Patrick Derbez Yet another attack on whitebox AES implementation 14 / 31

  17. The Baek, Cheon and Hong proposal Affine Equivalence Algorithm In 2003, Biryukov, De Canni` ere, Braeken and Preneel proposed an algorithm to solve the following problem: Given two bijections S 1 and S 2 on n bits, find affine mappings A and B such that S 2 = B ◦ S 1 ◦ A , if they exist. Ascertain whether such mappings exist Enumerate all solutions � n 3 2 2 n � Time complexity in O � n 3 2 n � Time complexity for linear version in O Patrick Derbez Yet another attack on whitebox AES implementation 14 / 31

  18. The Baek, Cheon and Hong proposal Baek et al. Proposal To avoid this weakness, take 32 random 8-bit to 256-bit mappings h i . The 16-bit to 256-bit tables are defined as T i ( x , y ) = F i ( x , y ) ⊕ h i ( x ) ⊕ h i +1 ( y ) And we can evaluate the encoded round function with 31 31 � � F i ( x i , x i +1 ) = F ( r ) ( x 0 , . . . , x 31 ) T i ( x i , x i +1 ) = i =0 i =0 Security claim : 110-bit Patrick Derbez Yet another attack on whitebox AES implementation 15 / 31

  19. Dedicated Attack Introduction 1 The Baek, Cheon and Hong proposal 2 3 Dedicated Attack Generic attack 4 Patrick Derbez Yet another attack on whitebox AES implementation 16 / 31

  20. Dedicated Attack Overview of the attack � ∗ ∗ � ∗ ∗ ... From encoded round functions F ≃ M ◦ S ◦ A with A ≃ ∗ ∗ 1 Reduce the problem to block diagonal encodings : ⇒ � F = M ◦ S ◦ B with B block diagonal. 2 Compute candidates for each block: Using a projection, P ◦ M ◦ S ◦ B i is affine equivalent to S . 1 Use the affine equivalence algorithm from [BCBP03] to get some 2 candidates for B i . 3 Identify the correct blocks : Use a MITM technique to filter the wrong candidates Patrick Derbez Yet another attack on whitebox AES implementation 17 / 31

  21. Dedicated Attack Reducing the problem to block diagonal encodings Decompose A in A = B ◦ � A with: B block diagonal affine mapping built from B i ’s (unknown) � A with same structure as A , built from blocks (0 8 Id 8 ) ◦ E − 1 (known) i Patrick Derbez Yet another attack on whitebox AES implementation 18 / 31

  22. Dedicated Attack Reducing the problem to block diagonal encodings Decompose A in A = B ◦ � A with: B block diagonal affine mapping built from B i ’s (unknown) � A with same structure as A , built from blocks (0 8 Id 8 ) ◦ E − 1 (known) i For all 0 ≤ i ≤ 31 : 1 compute Ker L i with L i = ( A i , i A i , i +1 ) (8 × 16 matrix) 2 get a basis ( e 1 , . . . , e 8 ) of Ker L i 3 complete this basis ⇒ E i = ( e 1 . . . e 16 ) 4 ∃ B i 8x8 invertible matrix s.t. L i = B i ◦ (0 8 Id 8 ) ◦ E − 1 i Patrick Derbez Yet another attack on whitebox AES implementation 18 / 31

  23. Dedicated Attack Find Ker L i with L i = ( A i , i A i , i +1 ) For any ( a , b ) ∈ F 8 2 × F 8 2 : 1 x ∈ Ker A i , i ⇒ y �→ T i ( a ⊕ x , b ⊕ y ) ⊕ T i ( a , b ⊕ y ) is constant 2 y ∈ Ker A i , i +1 ⇒ x �→ T i ( a ⊕ x , b ⊕ y ) ⊕ T i ( a ⊕ x , y ) is constant ( x , y ) ∈ Ker L i ⇒ T i ( a , b ) ⊕ T i ( a ⊕ x , b ) ⊕ T i ( a , b ⊕ y ) ⊕ T i ( a ⊕ x , b ⊕ y ) = 0 3 If x ∈ Ker A i , i then : Patrick Derbez Yet another attack on whitebox AES implementation 19 / 31

Recommend

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid

From Blackbox Fuzzing to Whitebox Fuzzing towards Verification 2000 2010 2015 2005 Blackbox Fuzzing Verification Whitebox Fuzzing Patrice Godefroid Microsoft Research ISSTA2010 Page 1 July 2010 Acknowledgments Joint work with:

633 views • 38 slides
Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a

Padding Oracle Attack for non-standard PKCS#1 v1.5 Can non-standard implementation provide us a shelter? Si Gao Hua Chen Limin Fan Trusted Computing and Information Assurance Laboratory, Institute of Software, Chinese Academy of Sciences

442 views • 40 slides
Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov

Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov

Towards(Practical(Whitebox Cryptography:( Optimizing(Efficiency(and(Space(Hardness Andrey'Bogdanov ,(Takanori Isobe and(Elmar Tischhauser DTU(and(Sony Hanoi,(Vietnam Asiacrypt16 5 December(2016 Motivation

766 views • 50 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day >> exploitation of the device >> the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

557 views • 18 slides
Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin

Automated Whitebox Fuzz Testing Patrice Godefroid (Microsoft Research) Michael Y. Levin (Microsoft Center for Software Excellence) David Molnar (UC Berkeley & MSR) Fuzz Testing Send random data to application B.

366 views • 36 slides
Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds

Whitebox Fuzzing David Molnar Microsoft Research Problem: Security Bugs in File Parsers Hundreds of file formats are supported in Windows, Office, et al. Many written in C/C++ Programming errors security bugs! Random choice of x: one

493 views • 35 slides
ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on

ATTACK: Learning the Distributions of Adversarial Examples for an Improved Black-Box Attack on Deep Neural Networks Yandong Li* 1 Lijun Li* 1 Liqiang Wang 1 Tong Zhang 2 Boqing Gong 3 *Equal Contribution 1 University of Central Florida 2 Hong

440 views • 11 slides
Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know.

Detecting a Biological Attack The attack will not be obvious; it may take hours or days to know. Current biological diagnostics are very effective at identifying agents, but theyre slow. We already have an infrastruc- ture in place to

233 views • 8 slides
ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack

ss 8 Class Cl CSC 495/583 Topics of Software Security PLT, GOT & Return-to-plt Attack & GOT Overwrite Attack Dr. Si Chen (schen@wcupa.edu) Review Page 2 ret2libc Attack Page 3 libc C standard library Provides

662 views • 36 slides
.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A

.tr DDoS Attack December 2015 Attila zgit .tr ccTLD Manager Dec, 2015 .tr DDoS Attack A Summary of a 3 weeks long experience 2016-03-07 Dec 2015 DDoS Attack on .TR 2 Before DDoS q Infrequent Small scale DoS and DDos Attacks Few

606 views • 14 slides
Reveal Secrets in Adoring Poitras A generic attack on white-box cryptography Junwei Wang

Reveal Secrets in Adoring Poitras A generic attack on white-box cryptography Junwei Wang

Reveal Secrets in Adoring Poitras A generic attack on white-box cryptography Junwei Wang CryptoExperts University of Luxembourg University of Paris 8 ECRYPT-NET School on Correct and Secure Implementation October 11, 2017, Crete Outline 1

595 views • 26 slides
A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler

A New Side-Channel Attack on RSA Prime Generation Thomas Finke, Max Gebhardt, Werner Schindler Federal Office for Information Security (BSI), Germany Lausanne, September 7, 2009 Outline r Introduction and Motivation r The Attack r Basic attack

514 views • 25 slides
Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel

University of Amsterdam System and Network Engineering Known plaintext attack on encrypted ZIP files Barosan Dragos Laurentiu Supervisor: Armijn Hemel Why? There is no open source implementation Source Code available for PkCrack by

838 views • 19 slides
Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed

Description of PRINT CIPHER The Attack Relation To Truncated Differential Attack Conclusion Cryptanalysis of PRINT CIPHER : The Invariant Subspace Attack Gregor Leander, Mohamed Abdelraheem, Huda AlKhzaimi, and Erik Zenner DTU Mathematics

598 views • 37 slides
Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack

Ransomware Attack Briefing Presidents Leadership Council October 21, 2019 August 8 Cyberattack Summary : The attack was severe and sophisticated; categorized as a catastrophic attack. It was highly strategic with regard to timing

330 views • 16 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

ASCs 5.1 Surround ATTACK Wall walls and corners. Its name, ATTACK is an acronym that

December 7-8, 2001, Beverly Hills, CA. Corporation, at the Surround 2001 International Conference and Technology Showcase, .E., President of Acoustic Sciences Transcript of a seminar presented by Arthur Noxon P ASCs 5.1 Surround ATTACK Wall

243 views • 6 slides
Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems

Identifying Attack Vectors Professor Larry Heimann Web Application Security Information Systems Nothing is in isolation Attack surface An attack surface is the total number of possible attack vectors Think of a house, with the

309 views • 15 slides
KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview

KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview

KRACK Attack Team 05 Duncan Yee Eric Kwok Derrick Lee 1 Content Introduction Overview Problem Implementation Discussion References 2 Introduction The IEEE 802.11 wireless network protocol is the most common protocol used to connect

1k views • 30 slides
Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com

Attack Class: Address Spoofing L. Todd Heberlein 23 Oct 1996 Net Squared Inc. todd@NetSQ.com Overview of Talk l Introduction l Background material l Attack class l Example attack l Popular questions l Extensions UCD Vulnerabilities Group l

759 views • 24 slides
Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation!

Recent Attack Technologies Neil Long OxCert Introduction Hope for audience participation! At least two aspects Target payloads Attack origins Future? arenas Attack Payloads Buffer overflow Format strings

535 views • 18 slides
Introduction Attack Graphs Model Creation Analysis of Attack Graphs

Introduction Attack Graphs Model Creation Analysis of Attack Graphs

EVA Evolutionary Vulnerability Analyzer A Framework for Network Analysis and Risk Assessment Dr. Melissa Danforth Department of Computer Science California State University, Bakersfield Introduction Attack Graphs Model Creation

684 views • 50 slides
Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg

Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com SE Linux Symposium Attack- based DTA 1 06 Outline Motivation Review of type enforcement transitions Attack

471 views • 18 slides
The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab,

The Crossfire Attack Min Suk Kang Soo Bum Lee Virgil D. Gligor ECE Department and CyLab, Carnegie Mellon University May 20 2013 Old: DDoS Attacks against Single Servers typical attack : floods server with HTTP, UDP, SYN, ICMP packets

613 views • 28 slides

More recommend