White-Box Cryptography and an AES Implementation
Conventional software implementations of cryptographic algorithms are totally insecure where a hostile user may control the execution environment, or where co-located with malicious software. Yet current trends point to increasing usage in environments so threatened. We discuss encrypted-composed-function methods intended to provide a practical degree of protection against white-box (total access) attacks in untrusted execution environments. As an example, we show how aes can be implemented as a series of lookups in key-dependent tables. The intent is to hide the key by a combination of encoding its tables with random bijections representing compositions rather than individual steps, and extending the cryptographic boundary by pushing it out further into the containing application. We partially justify our aes implementation, and motivate its design, by showing how removal of parts of the recommended implementation allows specified attacks, including one utilizing a pattern in the aes SubBytes table.
KeywordsLookup Table Malicious Software Malicious Host Output Encodings Input Encodings
- 1.J. Algesheimer, C. Cachin, J. Camenisch, G. Karjoth, Cryptographic Security for Mobile Code, pp. 2–11 in Proceedings of the 2001 ieee Symposium on Security and Privacy, May 2001.Google Scholar
- 2.R.J. Anderson, M.G. Kuhn, Low Cost Attacks on Tamper-Resistant Devices, pp. 125–136, 5th International Workshop on Security Protocols (lncs 1361), Springer 1997.Google Scholar
- 3.B. Barak, O. Goldreich, R. Impagliazzo, S. Rudich, A. Sahai, S. Vadhan, K. Yang, On the (Im)possibility of Obfuscating Programs, pp. 1–18, Advances in Cryptology-Crypto 2001 (lncs 2139), Springer-Verlag, 2001.Google Scholar
- 5.E. Biham, A. Shamir, Power Analysis of the Key Scheduling of the aes Candidates, presented at the 2nd aes Candidate Conference, Rome, Mar. 22-23 1999.Google Scholar
- 8.S. Chari, C. Jutla, J.R. Rao, P. Rohatgi, A Cautionary Note Regarding Evaluation of aes Candidates on Smart-Cards, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.Google Scholar
- 9.S. Chow, P. Eisen, H. Johnson, P.C. van Oorschot, A White-Box des Implementation for drm Applications, Proceedings of drm 2002-2nd acm Workshop on Digital Rights Management, Nov. 18, 2002 (Springer-Verlag lncs, to appear).Google Scholar
- 10.S. Chow, Y. Gu, H. Johnson, V.A. Zakharov, An Approach to the Obfuscation of Control-Flow of Sequential Computer Programs, pp. 144–155, Proceedings of isc 2001-Information Security, 4th International Conference (Malaga, Spain, 1-3 October 2001), lncs 2200, Springer-Verlag, 2001.Google Scholar
- 12.J. Daemen, V. Rijmen, Resistance Against Implementation Attacks: A Comparative Study of the aes proposals, presented at the Second aes Candidate Conference, Rome, Italy, March 22-23, 1999.Google Scholar
- 13.J. Daemen, M. Peeters, G. [van Assche, Bitslice Ciphers and Power Analysis Attacks, pp. 134–149, 7th International Workshop on Fast Software Encryption-fse 2000 (lncs 1978), Springer-Verlag, 2000.Google Scholar
- 14.J. Daemen, V. Rijmen, aes Proposal: Rijndael, http://csrc.nist.gov/encryption/aes/rijndael/Rijndael_OnlinePDF.pdf, 1999.
- 15.J. Daemen, V. Rijmen, The Design of Rijndael: aes-The Advanced Encryption Standard, Springer, 2001.Google Scholar
- 16.S. Forrest, A. Somayaji, D. H. Ackley, Building Diverse Computer Systems, pp. 67–72, Proceedings of the 6th Workshop on Hot Topics in Operating Systems, ieee Computer Society Press, 1997.Google Scholar
- 17.M. Jakobsson, M.K. Reiter, Discouraging Software Piracy Using Software Aging, pp. 1–12, Security and Privacy in Digital Rights Management-acm ccs-8 Workshop drm 2001 (lncs 2320), Springer-Verlag, 2002.Google Scholar
- 18.P.C. Kocher, Timing Attacks against Implementations of Di.e-Hellman, RSA, DSS, and Other Systems, pp. 104–113, Advances in Cryptology-Crypto’ 96 (lncs 1109), Springer-Verlag, 1996.Google Scholar
- 19.P. Kocher, J. Jaffe, B. Jun, Differential Power Analysis, pp. 388–397, Advances in Cryptology-Crypto’ 99 (lncs 1666), Springer-Verlag, 1999.Google Scholar
- 20.O. Kömmerling, M.G. Kuhn, Design Principles for Tamper-Resistant Smartcard Processors, pp. 9–20, Proceedings of the usenix Workshop on Smartcard Technology (Smartcard’ 99), usenix Association, isbn 1-880446-34-0, 1999.Google Scholar
- 24.T. Sander, C.F. Tschudin, Towards Mobile Cryptography, pp. 215–224, Proceedings of the 1998 ieee Symposium on Security and Privacy.Google Scholar
- 25.T. Sander, C.F. Tschudin, Protecting Mobile Agents Against Malicious Hosts, pp. 44–60, Mobile Agent Security (lncs 1419), Springer-Verlag, 1998.Google Scholar
- 26.N. van Someren, A. Shamir, Playing Hide and Seek with Keys, pp. 118–124, Financial Cryptography’ 99 (lncs 1648), Springer-Verlag, 1999.Google Scholar
- 27.C. Wang, A Security Architecture for Survivability Mechanisms, Doctoral thesis, University of Virginia, October 2000.Google Scholar
- 28.J. Xiao, Y. Zhou, Generating Large Non-Singular Matrices over an Arbitrary Field with Blocks of Full Rank, Cryptology ePrint Archive (http://eprint.iacr.org), no. 2002/096.