White box cryptography is an essential technology when it comes to….pdf

Full Transcript

White box cryptography is an essential technology when it comes to minimizing security risks for open devices, such as smartphones. Devices have to be secured to avoid being analyzed or rooted. On open devices, the cryptographic keys used for making a payment are observable and modifiable, rendering...

White box cryptography is an essential technology when it comes to minimizing security risks for open devices, such as smartphones. Devices have to be secured to avoid being analyzed or rooted. On open devices, the cryptographic keys used for making a payment are observable and modifiable, rendering them vulnerable to attack. White box cryptography prevents the exposure of confidential information such as these keys. To do so, keys are obfuscated by not only storing them in the form of data and code, but also random data and the composition of the code itself. This process makes it very hard to determine the original key, even though the cryptographic algorithms are openly observable and modifiable. It should be noted, however, that there is not a standard specification for white box cryptography, so implementations may vary. White box cryptography resists reverse engineering threats to the cryptographic keys, anti-reverse engineering deterrents are also required to ensure the code surrounding the white box cryptography primitives remains intact. Cryptography is increasingly deployed in applications that are executed on open devices (such as PCs, tablets or smartphones). The open nature of these systems makes the software extremely vulnerable to attacks, since the attacker has complete control over the execution platform and the software implementation itself. This means that an attacker can easily analyze the binary code of the application, and the corresponding memory pages during execution; the attacker can intercept system calls, tamper with the binary and its execution; and use any kind of attack tool such as IDA Pro, debuggers, emulators, etc. Such an attack context is denoted as the white-box attack context. The challenge that white-box cryptography aims to address is to implement a cryptographic algorithm in software in such a way that cryptographic assets remain secure even when subject to white-box attacks. • Therefore, white-box cryptography (WBC) is an essential technology in any software protection strategy. This technology allows to perform cryptographic operations without revealing any portion of confidential information such as the cryptographic key. Without this, attackers could easily grab secret keys from the binary implementation, from memory, or intercept information that would lead to disclosure at execution time. WBC could be seen as a special purpose code generator that turns a given cipher into a robust representation. A representation where the operations on the secret key are combined with random data and code, in such a way that the random data cannot be distinguished from key information. The figure below depicts a conceptual high-level overview of WBC, for the case of a fixed key implementation. In such an implementation, the key will be hard-coded into the code. On the left hand side is the description of a cryptographic cipher and the key. White-box transformations will then generate the code for an application that is semantically the same, but for which it is hard to extract the key that is embedded into the code.

Use Quizgecko on...
Browser
Browser