Whitebox AES implementation in C++. Chow, Karroumi.
Branch: master
Clone or download
ph4r05 Merge pull request #25 from kaoh/master
Including pthread library in all targets, fix for using latest GTest …
Latest commit 711d79f Dec 27, 2018
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
tests enc tools test - using identity coding Jan 2, 2018
.gitignore .gitignore update Dec 30, 2017
.travis.yml travis test - use CBC Jan 2, 2018
.travis.yml-matrix travis - matrices fix (boost libs), cleaning Jan 2, 2018
AES_code_transformation.ods little corrections in AES encryption Mar 15, 2013
BGEAttack.cpp bge attack - cout switch, extracted key to the private attrib Jan 2, 2018
BGEAttack.h bge attack - cout switch, extracted key to the private attrib Jan 2, 2018
CMakeLists.txt Including pthread library in all targets, fix for using latest GTest … Dec 26, 2018
EncTools.cpp external IO fixes w.r.t. padding and cbc Jan 2, 2018
EncTools.h cbc Jan 2, 2018
GenericAES.cpp coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
GenericAES.h some cosmetic changes in genericAES Apr 15, 2013
InputObject.cpp input object - base abstract added Jan 2, 2018
InputObject.h input object - base abstract added Jan 2, 2018
InputObjectBuffer.cpp input object added, ring buffer refactored Jan 2, 2018
InputObjectBuffer.h memory includes Jan 2, 2018
InputObjectIOstream.cpp input object added, ring buffer refactored Jan 2, 2018
InputObjectIOstream.h input object added, ring buffer refactored Jan 2, 2018
InputObjectIstream.cpp input object added, ring buffer refactored Jan 2, 2018
InputObjectIstream.h input object added, ring buffer refactored Jan 2, 2018
InputObjectOstream.cpp input object added, ring buffer refactored Jan 2, 2018
InputObjectOstream.h input object added, ring buffer refactored Jan 2, 2018
LinearAffineEq.cpp coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
LinearAffineEq.h Attack phase 1 - Q embedded to AES Apr 11, 2013
LinearAffineEq_test.cpp linear equivalence test +1; md5 was missing in the repo; Mar 26, 2013
MixingBijections.cpp coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
MixingBijections.h coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
NTLUtils.cpp Fix compilation error on older setups Apr 13, 2016
NTLUtils.h coverity_scan: fixing detected defects Dec 4, 2015
README.md readme update Oct 16, 2018
RingBuffer.cpp ring buffer initial Jan 2, 2018
RingBuffer.h memory includes Jan 2, 2018
WBAES.cpp WBAES - new serialization methods - boost archive May 21, 2016
WBAES.h WBAES - new serialization methods - boost archive May 21, 2016
WBAESGenerator.cpp wbaes generator - extIO application on long buffers Jan 2, 2018
WBAESGenerator.h wbaes generator - extIO application on long buffers Jan 2, 2018
base.cpp coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
base.h coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
build-debug.sh Build scripts for release/debug mode added May 21, 2016
build-release.sh Build scripts for release/debug mode added May 21, 2016
build.sh example of how to use local NTL libs added to build.sh May 21, 2016
install-ntl-cached.sh travis: try with lower cake version Dec 2, 2015
install-ntl.sh travis initial commit Dec 2, 2015
main.cpp main.cpp - formatting Jan 2, 2018
md5.c linear equivalence test +1; md5 was missing in the repo; Mar 26, 2013
md5.h linear equivalence test +1; md5 was missing in the repo; Mar 26, 2013
output-SboxAffine.txt small typo fix Mar 29, 2013
output-SboxInverseAffine.txt small modifs for AES SboxInv affine relations Mar 29, 2013
probInvMatrix8.m initial import Feb 27, 2013
testing.cpp coverity_scan: fixed defects, using proper random number generator Dec 4, 2015
testing.h changed file names May 23, 2013

README.md

Whitebox-crypto-AES

Build Status Coverity Status

Whitebox cryptography AES implementation.

This repository contains a C++ implementation of:

  • Complete whitebox AES-128 scheme introduced by Chow et al [2]. Implements/uses input/output encodings, mixing bijections, external encodings.
  • Complete whitebox AES-128 scheme introduced by Karroumi [3] which uses an idea of dual AES ciphers (using a different generating polynomial for AES cipher) for creating a stronger AES whitebox scheme.
  • Implementation of the [BGE] Attack on Chow's AES whitebox implementation found by Billet et al [4]. Attack uses whitebox AES generator to create a random instance of whitebox AES scheme with secret key K embedded in the implementation. The attack then recovers the secret key K from the tables representing the given instance. This BGE attack also breaks scheme proposed by Karroumi what I found out while working on my diploma thesis.

The implementation contains:

  • Whitebox AES code generator in both Chow and Karroumi schemes. It generates a randomized whitebox AES instance with embedded encryption key K which can be used either for encryption or for decryption. Instance can be serialized to a file.
  • Code for running generated whitebox AES instance for encryption/decryption.
  • BGE key recovery attack on a generated whitebox AES instance.
  • Unit tests.

You also might be interested in my Java implementation of the Chow's whitebox AES scheme. In my diploma thesis I suggest modifications and improvements for a new whitebox-suited symmetric-key encryption algorithm based on AES.

[2]: Stanley Chow, Phil Eisen, Harold Johnson, and Paul C. Van Oorschot. White-box cryptography and an AES implementation. In Proceedings of the Ninth Workshop on Selected Areas in Cryptography (SAC 2002, pages 250–270. Springer-Verlag, 2002.

[3]: Mohamed Karroumi. Protecting white-box AES with dual ciphers. In Proceedings of the 13th international conference on Information security and cryptology, ICISC’10, pages 278–291, Berlin, Heidelberg, 2011. Springer-Verlag. ISBN 978-3-642-24208-3.

[4]: Olivier Billet, Henri Gilbert, and Charaf Ech-Chatbi. Cryptanalysis of a white box AES implementation. In Proceedings of the 11th international conference on Selected Areas in Cryptography, SAC’04, pages 227–240, Berlin, Heidelberg, 2005. Springer-Verlag. ISBN 3-540-24327-5, 978-3-540-24327-4. doi: 10.1007/978-3-540-30564-4_16.

Dependencies

  • C++11 and higher
  • CMake 2.8+
  • NTL 6.0.0+
  • boost_iostreams 1.55+
  • boost_serialization 1.55+
  • boost_program_options 1.55+
  • boost_random 1.55+

Description:

  • NTL math library is used for computation in finite fields & algebra. NTL is licensed under GPL thus this implementation also has to be GPL.
  • Boost library for serialization of the scheme instance & program input parameters parsing. Version 1.55

Building

  • Travis is configured for the project so in case of any problems please refer to the travis configuration file.
  • Install dependencies. For installing NTL you can use provided scripts install-ntl.sh or install-ntl-cached.sh
  • Use cmake to build
mkdir build-debug
cd build-debug
cmake -DCMAKE_BUILD_TYPE=Debug ..
make

Usage

The project contains basic Whitebox AES cipher core - for encrypting / decrypting one single AES block.

In order to demonstrate the basic usage there has been implemented:

  • PKCS5 padding, so plaintext input does not have to be byte aligned to the length of the AES block. Implemented in EncTools.
  • ECB encryption mode
  • CBC encryption mode

The implementation of the PKCS5, ECB, CBC is for demonstration/academic purposes as it may leak information via side channels (i.e., timing, memory access patterns)

Note the Padding can be used only if External encodings are not used. Otherwise the input / output has to be by definition padded to the block size so the ExtIO encoding can be removed before operation.

The project contains demo BGE attack in the target ./testing.

There are also some tests implemented using GTest in the target ./gtesting.

The target ./main contains basic runnable main with few options - allows to use the WBAES from the command line.

Usage:

WBAES table implementation usage:
  -h [ --help ]                   Display this help message
  --bench-gen [=arg(=0)] (=0)     Benchmarking rounds for AES gen
  --bench-bge [=arg(=0)] (=0)     Benchmarking rounds for AES BGE attack
  -e [ --extEnc ] [=arg(=0)] (=0) Use external encoding?
  -o [ --out-file ] arg           Output file to write encrypted data
  --input-files arg               Input files
  --create-table arg              Create encryption/decryption tables
  --create-random [=arg(=0)] (=0) Create tables with random key
  --use-key arg                   Create encryption/decryption with given
                                  hex-coded key
  --use-iv arg                    Use CBC with given hex-coded IV
  --load-tables arg               Loads encryption/decryption tables from given
                                  file
  --decrypt [=arg(=0)] (=0)       Should perform encryption or decryption
  --pkcs5 [=arg(=0)] (=0)         Enables PKCS5 padding
  --cbc [=arg(=0)] (=0)           Uses CBC mode
  -v [ --version ]                Display the version number

Example:

# Generate new WBAES table, disable extIO
./main --create-table /tmp/aes-table --extEnc=0

# Load existing WBAES tables and encrypt them with CBC and PKCS5
./main --load-tables /tmp/aes-table --extEnc=0 --input-files /tmp/aes-table --pkcs5=1 --cbc=1 -o /tmp/aes-table.enc

# Load existing WBAES tables and decrypt previously encrypted file
./main --load-tables /tmp/aes-table --extEnc=0 --input-files /tmp/aes-table.enc --pkcs5=1 --cbc=1 -o /tmp/aes-table.dec --decrypt=1

# Compare original and dec(enc(original))
diff /tmp/aes-table /tmp/aes-table.dec

License

Code is published under license: GPLv3 [http://www.gnu.org/licenses/gpl-3.0.html]. This license holds from the first commit. I also require to include my copyright header in files if you decide to use my source codes.

Using GPL in short means that if you incorporate this source code to your application, it has to be also published under GPLv3. Also if you make any improvement to my source code and you will use improved version you are obliged to publish improved version as well.

If this license does not fit to you, drop me an email, I am sure we can negotiate somehow.

** UPDATE 31.01.2017 **
NTL is now licensed under LGPL v2.1+ so I can relicense the code to LGPL v2.1+ by a written permission. So the code is by default GPLv3 licensed, but if you drop me an email I will give you LGPL v2.1+ license. I am also free to talk about other licensing options.

Donating

This implementation is an open source. If you like the code or you do find it useful please feel free to donate to the author whatever amount you would like by clicking on the paypal button below. And if you don't feel like donating, that's OK too.

Bitcoin:

1DBr1tfuqv6xphg5rzNTPxqiUbqbRHrM2E
1DBr1tfuqv6xphg5rzNTPxqiUbqbRHrM2E

Monero: 47BEukN83whUdvuXbaWmDDQLYNUpLsvFR2jioQtpP5vD8b3o74b9oFgQ3KFa3ibjbwBsaJEehogjiUCfGtugUGAuJAfbh1Z

Contributing

If you want to improve my code by extending it to AES-256 or implementing other whitebox AES schemes do not hesitate to submit a pull request. Please also consider it if you find some bug in the code. I am not actively developing this code at the moment but I will review the pull requests. Thanks!