white-box crypto Was: consulting question....

James Muir muir.james.a at gmail.com
Thu May 28 09:54:35 EDT 2009


Alexander Klimov wrote:
> On Tue, 26 May 2009, James Muir wrote:
>> There is some academic work on how to protect crypto in software from
>> reverse engineering.  Look-up "white-box cryptography".
>>
>> Disclosure:  the company I work for does white-box crypto.
> 
> Could you explain what is the point of "white-box cryptography" (even
> if it were possible)?

The introduction to the following paper (from SAC 2002) gives a very
good overview of white-box crypto:

http://www.scs.carleton.ca/%7Epaulv/papers/whiteaes.lncs.ps

> If I understand correctly, the only plausible result is to be able to
> use the secret key cryptography as if it were the public-key one, for
> example, to have a program that can do (very slow, btw) AES
> encryption, but be unable to deduce the key (unable to decrypt). If
> this is the case, then why not use normal public-key crypto (baksheesh
> aside)?

You're right -- a white-box implementation of a symmetric cipher
essentially creates an asymmetric cipher.  Despite this, there are still
situations where you might want a whitebox AES implementation running on
a client.  Consider a server that sends out updates to several hundred
clients (each client has its own key).  The clients are subject to
whitebox attacks but the server is not.  Rather than force the server to
do several hundred public-key operations when it needs to push out an
update, we might be able to save the server some work if use a symmetric
cipher.

-James


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20090528/240a5f3d/attachment.pgp>


More information about the cryptography mailing list