Evolution of Whitebox Cryptography: There Is No Security Without Secrecy!

As security breaches are increasing in size and type, newer security technologies are being designed to protect against the breaches. Cryptography is at the core of these security technologies.

A fundamental objective of cryptography is to secure communications between two parties, so that only the communicating parties can read and process the communicated messages. This objective is a natural requirement of human society; the study of securing communications (cryptography) goes back at least 4,000 years.

Pre-WWII Cryptography

Prior to 1948, the approach to cryptography was mostly ad hoc, without much rigorous backing of mathematics:

  • Messages were tattooed on a messenger’s head and concealed with regrown hair; they were written on yard threads and woven into a clothing for the messenger; they were written in invisible inks. These methods can be traced back to 440 BC.
  • Slightly more sophisticated methods based on systematic scrambling – a process known as enciphering – were designed; for example, ‘Caesar cipher’ [44 BC] shifted each letter two places further through the alphabet; the ‘Vigenère cipher’ [1585] was a series of interwoven Caesar ciphers based on the letters of a secret keyword; the ‘pigpen cipher’ [18th century] substituted letters with symbols.
  • Fast forward, the Enigma machine, used to communicate secret messages by Germans in World War I and World War II, also scrambled messages with sequences of some permutations. This was one of the most complex encryption methods of its time. Famously, Alan Turing, a brilliant English mathematician, broke the Enigma code; as a result of this, the Allies were able to gather intelligence that enabled them to defeat the Nazis and win the war.

The common theme in all of these approaches to cryptography was that the encoding methods were designed without a strong mathematical framework on hardness of breaking codes.

Modern Cryptography

This changed in 1948, when Claude Shannon published “A Communications Theory of Secrecy Systems” [Shannon49]. For what had mainly been an art, this work was the first to provide a scientific framework. It proved that, in order to achieve perfect secrecy from ad-hoc codes, one needs to hold a secret key that is impractically long; specifically, the key length must be at least as long as all possible messages put side-by-side (e.g., to obtain perfect secrecy for 128-bit messages, one needs a key of length 2128 x 128 ~ 1040). Clearly, this is highly impractical.

The groundbreaking result paved the way to a new method for devising cryptographic methods founded on mathematical assumptions. For example, security of the RSA encryption is based on the assumption that factoring a product of large prime numbers is very hard. This new age of cryptography is called “modern cryptography.”

Modern cryptography is characterized by systematic and rigorous methodologies. It is based on modeling the power of a hacker; cryptographic schemes are then designed to protect against those hacks.

Perception of a Hacker Evolved Swiftly in Modern Cryptography

Since [Shannon49], cryptography has advanced immensely in terms of the hacker’s power that it can defend against; stronger and stronger hackers are being modeled and new cryptographic protocols are being designed to protect against them.

We will see a snapshot of the evolution. But before we proceed, here is some terminology we will use:

  • Encryption refers to the process of scrambling a message.
  • A ciphertext refers to a scrambled message resulting from encryption.
  • Decryption refers to the process of unscrambling a ciphertext; that is, the inverse of encryption.
  • A secret key is a string that enables encryption/decryption.

Modern cryptography began by assuming a not-so-powerful hacker and designed defenses against her. It evolved by modeling stronger hackers and designing corresponding defenses.

Consider the following example scenario: let’s say, you want to securely converse with your friend. Below is how a hacker has evolved in the history of modern cryptography. We assume that messages are encrypted in the devices and then sent to the other person; also, once the ciphertexts are intercepted by the devices, they are decrypted.

Chosen-Plaintext Attack (CPA) [1982]: Imagine a hacker eavesdropping on the communication channel between you and your friend. The hacker’s hope is that the ciphertexts passing through the channel leak some useful information. This is the so-called chosen-plaintext attack, and it is the first and the simplest kind of attack considered in modern cryptography. The popular RSA encryption scheme is secure against such hackers.

Chosen-Ciphertext Attack (CCA) [1990]: Imagine a hacker who can not only eavesdrop on the communication channel, but also change contents of the communication channel and learn the corresponding decrypted messages. It may not be very intuitive that this additional capability gives the hacker any additional advantage in breaking the encryption mechanism; however, interestingly, there are strong evidences that a CCA hacker is strictly stronger than a CPA hacker.

Side-channel Attack [1992]: Thus far, it was assumed that a hacker can only access the inputs/outputs of a cryptographic implementation; the devices implementing encryption/decryption were assumed to be black boxes from the view of a hacker. What if the hacker is in the same coffee shop as you are, and listens to the CPU noise of your laptop? Or, what if she taps the power lines coming out of your home and records the power dissipation pattern from your device? Can this leak information about your secret key? Surprisingly, it was shown that a simple power analysis on RSA could easily reveal the entire secret key. A side channel is any ‘unusual channel’ for obtaining information about the secret key. Other side channels include leaked electromagnetic radiation and acoustic signals from the computing device.

Tampering Attack [1996]: Similar to a side-channel attack, a tampering attack model acknowledges that black-box attack models are highly unrealistic in today’s sophisticated cyber arena. Imagine a hacker who installs some malware on your device that modifies (or tampers with) the encryption/decryption code itself. The code might be modified such that it sends the secret key itself to the hacker.

Whitebox Attack [2002]: What if a hacker is so powerful that she gets right into your device, through a powerful malware, and can do much more than just simple tampering with the cryptographic code? If you store the secret key in the devices, then the attacker can simply read the key! Think about it. Then, all security guarantees of any encryption scheme are off.

Unfortunately, modern cryptosystems are not strong enough to defend against whitebox hackers. Although there are some academic advancements, they are highly inefficient and far from being practical.

The All-Powerful Whitebox Hacker and Whitebox Cryptography

“There is no security without secrecy.”

Hackers are extremely smart and constantly evolving. There has been a rat race between the hackers and the cryptographers. As soon as the cryptographers model the hackers and design defenses, the hackers evolve and break/get around those defenses.

This makes us conclude that any assumption on a hacker’s behavior is bound to be broken soon. This is the premise for modeling a whitebox hacker, who gets complete access to a cryptographic implementation. The whitebox attack model fully acknowledges the sophistication of today’s black-hat hackers and makes no assumption on their power (or lack thereof). Imagine a naïve implementation of the RSA encryption, wherein the secret key is in the clear. A whitebox hacker can easily read off the secret key from the code. It is crucial to securely protect the secret key against whitebox attacks. In fact, securing the key is as important as encrypting sensitive data; locking a door with the key left in the lock is as good as not locking the door at all.

Intertrust whiteCryption for Whitebox Cryptography

Naturally, the stronger the hacker, the harder it is to defend against the hack. Hence, encryption schemes that secure against whitebox hackers are extremely challenging to design. At Intertrust Technologies, we take pride in whiteCryption products that solve the important challenge and offer defense against sophisticated whitebox attackers.

whiteCryption has been a world leader in developing whitebox cryptography solutions, together with application shielding, code obfuscation and integrity protection solutions. Our technology can transform any app into a self-contained and self-defending application, which can effectively protect itself against a wide range of whitebox attacks, such as key extraction, debugging, code lifting, reverse engineering, piracy, re-signing, running on a rooted device, and more.

To find out how the whiteCryption solution can protect your business and customers, please look for us at booth #124 at the upcoming Black Hat USA 2017 event, Las Vegas, July 26-27, 2017. We will be happy to give you a demo of the products we offer and discuss your particular software security needs. In the meantime, please check out the online resources at https://www.intertrust.com/products/application-security/, and do not hesitate to sign up for a free trial!