Unboxing The White-Box: Practical Attacks Against Obfuscated Ciphers

by Eloi Sanfelix & Job de Haas & Cristofaro Mune White-Box Cryptography (WBC) aims to provide software implementations of cryptographic algorithms that are resistant against an attacker with full access to the internals. Therefore, the key must remain secure even if the attacker is able to inspect and modify the execution of the cryptographic algorithm. This is often referred to as "security in the White-Box context." In a vanilla implementation of a cryptographic algorithm, access to intermediate results directly leads to extraction of the key. To achieve security in the white-box context, data encoding schemes and strong obfuscation are typically applied. This type of implementation is commonly seen in DRM systems, and is currently gaining momentum in the mobile payment market. Assessing the security of WBC implementations is a challenge both for evaluators and for WBC designers, as it often requires a powerful mix of reverse engineering and applied cryptanalysis skills. In this presentation, we show how attacks typically used to attack hardware cryptosystems can be ported to the white-box settings. We will introduce generic yet practical attacks on WBC implementations of the TDES and AES ciphers. Additionally, we will analyze the requirements for each attack and discuss potential countermeasures. We have applied these attacks to recover cryptographic keys from commercial as well as academic implementations. During the presentation, we will demonstrate several attacks on open source WBC implementations using custom tools. If you are tasked with evaluating the attack resistance of a WBC-based solution, this presentation will provide a better understanding of what White-Box Cryptography is and how to evaluate its robustness against different key extraction attacks. If you are a WBC designer, you will obtain a better understanding of what the most common weak points of such schemes are. Our results highlight the importance of evaluating WBC implementations with respect to these generic attacks in order to provide correct judgment about their level of security.