image image
Guillaume Vinet

Breaking Practical White Box Crypto

Duration: 4 days (5hrs each day)

Date: 27th to 30th January 2021


TRAINER

Guillaume Vinet


Overview

White-Box Cryptography (WBC) enables to perform cryptographic operations without relying on a hardware component, but only on its software implementation. The goal is to keep the secret key safe when being executed in an untrusted environment, where it is reasonable to assume that an attacker has a total access to the software binary. Doing so, the attacker:

  • is able to execute the cryptography operation by choosing the plaintext to get the ciphertext.
  • is able to instrument the binary with a dynamic binary instrumentation (DBI) tool to monitor internal states or even tamper with the execution to get faulty ciphertexts.

When the WBC binary has been extracted, different techniques can be exploited to retrieve the secret key.

  • A cryptanalysis of the implementation can be done, but it is very time-consuming and it requires a deep mathematical background.
  • Reverse engineering can be applied to deconstruct step by step the algorithms and being able to recode it in another language. It can lead to recovering the full implementation. However, depending on the quality of the obfuscation and the runtime protections, several weeks to several months could be required to perform the attack. Also, both in-depth reverse engineering and cryptographic skills are required.

Another way, called Differential Computational Analysis (DCA), was proposed at CHES 2016 by [Bos et al., 2016].

  • The binary is executed on a specific framework to trace internal states, for instance memory accesses or register values.
  • Once traces are available, DCA makes use of Side Channel Attacks exploiting the information available from a set of data traces after many executions of the cryptographic operation using the same key.

With this kind of attack, the elapsed time can be highly reduced, from several weeks of reverse to several hours of DCA. It can be very efficient to retrieve the secret key.

[Bos et al., 2017] demonstrated that the WBC is also sensitive to Differential Fault Analysis (DFA) attacks:

  • Their goal is to tamper with the WBC execution by injecting one or several faults, in order to obtain faulty outputs.
  • Different algorithms enable exploits of these altered outputs to recover the cryptographic key.

With this training:

  • You will learn the WBC, DCA and DFA theory,
  • You will break native ARM64 White-Box-Cryptography implementation with DCA or Fault injection attack.

What will the trainee learn?

  • Extract a WBC implementation from an Android application:
    • WBC theory,
    • Code obfuscation and anti-reverse mechanisms,
    • Device Binding.
  • Emulate an ARM64 WBC implementation with Unicorn:
    • ARM64 architecture,
    • Binary emulation theory,
    • Unicorn APIs.
  • How to acquire a WBC trace?
    • What to acquire: memory access, registers, register access,
    • When the acquisition must be started/stopped?
    • Which piece of code must be acquired?
  • How to inject faults in a WBC?
    • Static or dynamic way.
  • Side Channel Theory
    • Differential Computation Analysis (DCA)
    • Attack of Piret against AES-128.

What will the trainee do?

  • Each challenge is an Android Application embedding a White-Box Cryptography implementation. This training will focus only on the analysis of the native library implementing the White-Box, not the Java Layer.
  • You will start with two straightforward challenges to understand:
    • How to emulate a White-Box with Unicorn.
    • How to generate a trace and how to inject a fault.
    • How to recover the key with a CDA or a DFA.
    • Extremely detailed notebooks will guide you step by step from the White-Box extraction to the key recovery.
  • Then, the real fun begins:
    • You will defeat two AES White-Box with a CDA. One of them will be hardened against memory access traces.
    • Defeat two AES White-Boxes with Fault Injection. One of them will require a double fault injection.

    • Training environment:

      • An online server with all the installed challenges/tools available. You do not waste your time on the setup, you are ready to attack!
      • You prefer to perform your analysis offline? No problem, we will give a docker image or the list of the required tools to be installed.
      • On the online server, Radare2 in command line will be used to performed reverse engineering. To use Ghidra, you will need to install it on your own machine.

      Why choose this training?


      Requirements:

      • Basic level:
        • code analysis
        • ARM Assembly language
        • native code analysis
        • coding knowledge

      ABOUT THE TRAINER

      Guillaume VINET is a senior security analyst in embedded devices security. He spends several years assessing the security of smart cards (banking applications, electronic passports, Integrated Circuit) or point-of-sale (POS). His areas of expertise comprise reverse engineering of android applications and White-Box Cryptography (WBC), performing either security analyses or trainings. He has presented at various conferences including SSTIC or Whibox 2019.