# Cryptography Threat Models and WBC

CRYPTOGRAPHY THREAT MODELS AND WHITE BOX CRYPTOGRAPHY : PRELIMINARY

prepared by Antonius Cahya Prihandoko

The threat models for traditional cryptographic applications are black-box attack models. In these models, an attacker is assumed to have no physical access to the encryption key or any internal workings; attackers can only control the input and output of the algorithm and can not know detailed implementation of the system. There are three level of attacks in black-box model:

• passive (a.k.a plaintext attack): adversary only observes the input-output of the system;
• active (a.k.a chosen plaintext attack (CPA)): adversary chooses arbitrary plaintext and is given corresponding ciphertext;
• adaptive (a.k.a chosen ciphertext attack (CCA)): adversary chooses ciphertext and obtains its decryption under an unknown key.

These attacks are aimed to gain further information which reduces the security of the system.

With black-box assumption, the algorithms need to be executed in a secure environment. However, this assumption is not appropriate for DRM implementation. In addition, from an industrial point of view, this deployment is impractical. The increasing spread of commercial applications involving cryptography into untrusted commodity host environments. Wrong context protocols deployment, badly algorithms implementation or inappropriate parameters may leak an entry point for attackers. At this point the implementation is turned into a Gray shaded box, rather than black box.

The gray-box cryptography assumes that the attackers have partial access to the physical implementation of a cryptographic system. The attackers exploit side channel information leaked from the system. The leakage is observed through timing information, power consumption, or electromagnetic radiation. This is a side channel analysis (SCA) attacks that allows hackers to reveal parts of the key and reduce efficacy of the protection. The gray-box cryptography illustrates that partial access of inner working, side effects or algorithm execution can weaken the security of the system.

A more appropriate attack model for the algorithm used in DRM implementation is the white-box attack model. In this model, attackers have full control over the whole operation and can freely observe dynamic code execution. Internal algorithm details are absolutely visible and alterable.

White-box cryptography (WBC) is an obfuscation technique intended to implement cryptographic primitives in a white-box attack model. The intention is to protect secret keys from being disclosed in a software implementation. The protection is done in such a way even when the platform on which the application is executed are subject to the control of potentially hostile end-users. Despite providing a fully transparent methodology, WBC integrates the cipher in such a way that does not reveal the secret key.

White-box Implementation

The basic notion of white-box implementations is to rewrite a key so that all information related to the key is hidden. External encoding can be used so that the encryption and decryption software require encoded inputs, and produce encoded outputs. This encoding mechanism can be done by replacing the encryption key $E_{k}$ with the composition $E_{k}' = G \circ E_{k} \circ F^{-1}$. Input encoding key $F$ and output decoding key $G^{-1}$ must not be in the same platform that computes $E_{k}'$, so that the white box implementation cannot be used to compute $E_{k}$. This means that encoding input and decoding output have to kept secret. At this point, white box implementation cannot stand alone; it should be used in conjunction with other techniques to provide protection against key recovery attacks. Although this scenario is not standard, such an approach is useful for many DRM implementations.

The main application of the white-box scenario is to secure content distribution such as in DRM implementations, where the content is often executed in unsecure environments. One may wonder how it is possible to securely protect the key within the executed code when an adversary can fully monitor and alter each instruction. A secure protection can be achieved by combining the effect of the secret key with some implementation specific data using a mathematical operation that is extremely hard to invert. This mechanism allows constructing a system that operates similarly to the asymmetric encryption algorithm, with a performance level close to the symmetric algorithm. Therefore, a white-box implementation forces the user to use software at hand.

How secure is a white-box implementation? The security is relative; there is no system that is absolutely secure. A system is secure relative to a security model which may depend on an adversary’s goal and the resources that can be accessed by the adversary. In the white box scenario, it is much more difficult to determine the resources of an attacker as they are endless. The best effort in such an implementation is to prevent all known relevant threats in an effective way. The security also depends on the implementation: a strong cryptographic algorithm is not necessary for a poor implementation.

Townsville, 6 March 2013