4

I am familiar with white box cryptography, but somehow I still fail to see its potential applications? Which situations would necessitate using it? Maybe you can even give me an example or two?

I know it is used to protect keys, but one could say: “Hey, come-on, derive a scheme where you don't need secret key”. Or, we could simply use what we have: public key encryption. All that’s to it is to maybe generate session keys and then encrypt/decrypt things using those keys.

e-sushi
  • 17,891
  • 12
  • 83
  • 229
  • I bet you can come up with an application for DRM usage... – SEJPM Jul 30 '16 at 17:26
  • @SEJPM something other than DRM please –  Jul 30 '16 at 17:31
  • @EllaRose can you expand? –  Jul 30 '16 at 17:31
  • Host Card Emulation (HCE), which is commonly used for mobile payments. See e.g. http://www.bellid.com/blog/what-is-white-box-cryptography/ for more detail. – user4982 Jul 30 '16 at 19:36
  • Please to all: instead of replying with one sentence, provide elaborated example how and where white box crypto would be necessary and useful and how. –  Jul 30 '16 at 19:51
  • Comments are not meant for answering the question but rather asking for clarification or noting related information or potentially useful / interesting information for the asker and / or potential answerers. – SEJPM Jul 30 '16 at 20:11
  • @SEJPM Re your (absolutely correct) comment. Erm… whatever you do today, do not scroll down 8] because I think I might have managed to provide a prime example of how not to use the comment area… by über-explaining things instead of simply posting an answer and be done with it. – e-sushi Aug 01 '16 at 07:43
  • Related https://crypto.stackexchange.com/q/10989/16588 – hola May 14 '21 at 03:18

2 Answers2

8

It could enable a key exchange based off of symmetric primitives alone. For example, suppose I can provide to you a program that will allow you to perform AES-256 encryption of a single plaintext block. I could send you this program, you could perform your encryption and send me the result, and due to the whitebox nature of the algorithm, only I can decrypt it (not even you can).

This basically creates a public key encryption scheme using only the white box symmetric primitive. This is valuable because the hardness assumptions that underlie traditional public key primitives versus that of symmetric primitives. There is no known way to scratch the surface of the security of a single AES encryption. This is contrary to ordinary public key crypto, which is based on problems that more or less have very clear solutions, and only work because there are no known algorithms that are efficient enough to handle the key sizes involved.

The key size for AES are significantly smaller then say an RSA keypair, and the operations are significantly more efficient. A white box implementation might be different then a traditional implementation in this respect, but we'll have to wait and see.

This is not possible with a traditional implementation of AES because anyone who knows the key can perform both the encryption and decryption operations. With a white box implementation, the key is embedded into the program in a manner that makes it (ideally) impossible to extract. Of course, this also implies the program is constructed to only posses the encryption capability, and not decryption.

Ella Rose
  • 19,603
  • 6
  • 53
  • 101
  • 1
    for completeness please add also why I would not be able to do same just using AES 256 (without white box) –  Jul 31 '16 at 07:26
  • @user200300 Chances are that the following Q&A will help you to grasp that last bit… “What is a white-box implementation of a cryptographic algorithm? – e-sushi Jul 31 '16 at 10:57
  • @e-sushi No that I've read that - that example mentions how white box crypto would help if I hard coded AES key in code. What if I don't hard code and neither use white box - can't I achieve same what Ella Rose suggests in this post??? –  Jul 31 '16 at 18:12
  • 1
    @user200300 no, because "anyone who knows the key can perform both encryption and decryption" - a white box implementation lets you perform encryption using my key, without me giving you my key. – Ella Rose Jul 31 '16 at 18:23
  • @user200300 Exactly what Ella wrote! Besides, if you …don't hard code and neither use white box, we’re not talking white-box crypto anymore… which would render your question superfluous. ;) In the end, it’s all about definitions and scenarios. White box crypto can make a lot of sense in the correct scenarios (and when implemented correctly)… but you’re not all that wrong when you think that white box crypto can also break your neck if you try to use it in scenarios it wasn’t invented for. Let’s see if I can wrap up a small example as a final comment here. OK, maybe it helps if you… [1/2] – e-sushi Jul 31 '16 at 23:21
  • @user200300 [2/2] … think of white box crypto as something you’ld use as a company if you wanted to copy-protect movie DVDs. The DVDs will play fine on compatible DVD players people would have to buy from your company (does DRM ring a bell?). First reaction: “I’ll earn mucho money!” But then someone breaks into a DVD player to recover the hard-coded keys you’ve tried to hide within your WBC implementation. Result: copy-protection dead – which marks the end of your money dream (while proving that WBC isn’t optimal for DRM efforts.) OTOH, there are other scenarios where WBC makes a lot of sense. – e-sushi Jul 31 '16 at 23:30
  • @e-sushi In your DVD case I would hard code my company key inside DVD that is what you mean? So that other DVD players can't decode movie? –  Aug 01 '16 at 06:35
  • @user200300 The keys would be hardcoded in the playback devices, where your WBC implementation resides. (Putting secrets/keys on each and every DVD would be overkil as you’ll always sell more DVDs than playback devices.) So, the DVDs would merely contain the “encrypted” movies, and that expensive DVD player you sold to everyone on the planet would be the only player decoding them – unless you sub-license your WBC implementation to other companies, who would then be able to create and sell their own playback devices with your WBC (which would provide additional income via “licensing fees”). – e-sushi Aug 01 '16 at 07:22
  • @user200300 But as I said, in the end that’s not the best scenario to use WBC, because movie fans are a bit like PlayStation gamers… if they think there’s something they can grab for free, you can be sure that sooner or later someone is going to hack his/her way into things. In the end, they’ld decrypt any DVD with “stolen” keys… and your business would start going down the drain. That’s why I said that it’s not a good idea to use white box crypto for DRM or alike copy-protection purposes. It’s just an example to explain WBC and what weird things you could (but really shouldn’t) do with it. ;) – e-sushi Aug 01 '16 at 07:28
  • @user200300 In case you want to dive in deeper – there’s more info about the key-issue and how you could try to solve it at the Q&A “Why to try get key out of white box crypto? How can one protect WBC itself?”. Anyway… you meanwhile seem to understand WBC a bit better than a few days ago; which meant I can stop posting comments (that must be driving Ella crazy). By the way – if the answer by Ella Rose is OK for you, please don’t forget to *accept the answer* with a click on that checkmark. It’ll turn green if you do. Thanks in advance. Cya! – e-sushi Aug 01 '16 at 07:50
4

We can divide the applications into several categories according to the security notions related to white-box cryptography.

  1. Unbreakability: means protecting against key extraction in the worst case attacking model where an adversary fully controls the running environment. The mobile payment(e.g. HCE), digital contents distribution and soft-keyboard-typed password protection belong to this category.
  2. One-wayness: means it is difficult to reverse a white-box implementation. In this sense, we can turn a white-box implemented symmetric primitive into a public-key primitive, where the published implementation is the public key and the key of you symmetric primitive is hence the private key.
  3. Incompressibility: means you cannot easily compress the white-box implementation below some boundary. I do not know any practical application of this notion so far.
  4. Traceability: means it is possible to put an irremovable watermark into your implementation, which can be used to track the distribution of your software, or detecting illegal leakage of assets.
Junwei WANG
  • 361
  • 4
  • 8