search

ph4r05 / Whitebox-crypto-AES

Whitebox AES implementation in C++. Chow, Karroumi.
https://is.muni.cz/th/325219/fi_m/
337 stars 112 forks source link

Cryptographical Strength #11

Closed kaoh closed 7 years ago

kaoh commented 8 years ago

Can you please give a summary about the possible weaknesses and the final strength of the encryption? I have read the Billet paper that the the complexity of a 128 bit key is reduced to 30 bits. Are there any better cutting edge approaches in this area?

ph4r05 commented 7 years ago

In this particular case I think the 30bits is pretty much it. If you try to run the BGE attack you see how long does it take to extract the key. It is matter of seconds.

There were some new techniques proposed to make key extraction harder or not possible at all. But I am not aware of any such white-box implementation compatible with AES. In order to make scheme more secure (in a sense of key extraction) people are basically designing a new ciphers.

Whitebox is quite nice form of obfuscation of the encryption algorithm. Reverse engineer could have a trouble to understand what is actually going on in the whitebox implementation. He can see just bunch of tables. Especially with some security-through-obscurity salt (meaning by altering the scheme by reasonable modifications).

It is quite hard to find a good non-broken whitebox implementations. Many of them are leaking the keys by side channels and so on.

http://www.whiteboxcrypto.com/ https://eprint.iacr.org/2015/753.pdf https://eprint.iacr.org/2016/679.pdf https://eprint.iacr.org/2016/203.pdf https://www.blackhat.com/docs/eu-15/materials/eu-15-Sanfelix-Unboxing-The-White-Box-Practical-Attacks-Against-Obfuscated-Ciphers-wp.pdf

koh-osug commented 7 years ago

Thanks a lot. I.e. the only option currently is to use a non-standard algorithm where the loop up tables and the algorithm behavior is unknown, no way to use standard AES, right?

ph4r05 commented 7 years ago

Correct, as I see it AES is not well suited for white-box transformation and it always leaks some information resulting in the scheme being vulnerable or totally weak.

I am not aware of any AES whitebox which is secure.

koh-osug commented 7 years ago

OK, thanks. In general that means that open source solutions and white whitebox does not work well together based on the known working attacks which can always be equipped against the known algorithm. Also any symmetric key based solution like used today in EMV from MasterCard and VISA or decoder cards for digital television cannot be ported to a pure software based solution which would leak the keys. Is there any other hope to overcome this? Are there WB solutions targeting asymmetric algorithms?