SECURITY The Glass Box: Making Cryptography Secure in Hostile Environments
KnowledgeBase

Navigation

Computer Science

Mathematics

Security

PicoCTF

HackTheBox

TryHackMe

Geometry

Cheatsheet

Sosyal Medya

Kaynaklar

NotebookLM
Kaynak Notları
Binary Exploitation
PDF Kitap (Yakında)
SSL Bypass
Frida Android Tool
ASM Playground
x86-64 / ARM64

Güncel Makaleler

Yükleniyor...
Erciyes Uni.
Bilgisayar Muh.
CBFRPRO CBTEAMER CNPEN eMAPT

Security

The Glass Box: Making Cryptography Secure in Hostile Environments

November 25, 2025

In traditional cryptography, we picture a pretty safe setup: Alice sends a message to Bob. They’ve both got their keys stored safely on their devices. We assume the attacker, Eve, is snooping on the wire, but she can’t actually reach into Alice’s or Bob’s devices to steal the keys. This is the Black-Box Model. It assumes the devices doing the encryption are safe zones where secrets can sit in memory without worry.

But here’s where things get interesting: what if the bad guy isn’t just listening on the wire? What if the attacker is the computer running the software?

Think about a movie streaming app with Digital Rights Management (DRM), or a mobile wallet on your phone. The decryption key has to be in the device’s memory to play the movie or pay for coffee. But if a user wants to pirate that movie, they have total control over that phone. They can freeze time, read memory, trace every single CPU instruction, and even mess with the code while it’s running. This is what we call the White-Box Attack Context (WBAC) [1].

In this scenario, regular crypto falls apart fast. Standard implementations are built for speed, not hiding. If you have the code, you can just ask the debugger: “Hey, show me the variable where you stored the key.” Or, you can just scan the memory for things that look like keys.

So, how do we hide a secret in a program that is completely transparent to the attacker? Welcome to White-Box Cryptography.

1. Hiding the Secret Sauce in Plain Sight

Back in 2002, Stanley Chow and his team came up with a clever approach to handle this [1]. Their goal was to turn a standard algorithm like AES (Advanced Encryption Standard) into a giant mess of lookup tables so that the key never actually sits in memory—not even for a nanosecond.

The Game Plan: Mixing It Up

Standard AES works in rounds. In each round, the data goes through a bunch of math operations. One of them is AddRoundKey, which usually looks like this:

\[state = state \oplus key\]

If a hacker sees this, it’s game over—they grab the key.

Chow’s idea was to bake the key into the operations using a trick called Partial Evaluation [1]. Instead of calculating the XOR on the fly, we pre-calculate a lookup table (a “T-box”) that does the substitution and the key addition all at once.

For a specific byte of the key $k_{i,j}$ and the S-box function $S$, we define a T-box:

\[T_{i,j}(x) = S(x \oplus k_{i,j})\]

Now, the program doesn’t have the key $k_{i,j}$ anywhere. It just has a table $T_{i,j}$. When the program runs, it looks up the input $x$ in the table and gets the answer. To an outsider, the table just looks like a list of random numbers. The secret operation has been “hardcoded” into the logic of the program itself.

Let’s Break It Down with Numbers:

Let me show you a simple example using basic math instead of hex bytes.

Suppose our secret key is 5.

Suppose our function is “multiply by 3” ($S(x) = 3x$).

The input data is 4.

In a normal app, the CPU would do this:

\[4 \oplus 5 = 1 \text{ (XOR operation)}\]

Then the math:

\[S(1) = 3 \times 1 = 3\]

The attacker watching the memory would see the 5 (the key) and the 1 (the intermediate result).

In the White-Box version, we pre-make a table $T$.

At index 4, we store the final answer: $S(4 \oplus 5) = S(1) = 3$.

At index 5, we store $S(5 \oplus 5) = S(0) = 0$.

At index 6, we store $S(6 \oplus 5) = S(3) = 9$.

When the user runs the app with input 4, the code simply checks index 4 of the table and finds 3. The number 5 (the key) is never used, never loaded, and never appears in memory!

The Catch: It’s Not Perfect Yet

Just baking the key into a table isn’t enough. A smart attacker knows the standard math functions (they’re public!) and can reverse-engineer the table to find the key. If they see the output, they can work backward.

To fix this, we need Encodings. We need to make sure the values entering and leaving these tables are never “clean” values.

2. Encodings: Mathematical Camouflage

Here’s the real magic trick of White-Box Crypto described by Chow et al. [1]. We want to disguise the data flowing between the steps so that an attacker just sees random noise. We’re creating a custom encryption algorithm that does the same job as AES but looks totally different on the inside.

We use random bijections (fancy math word for reversible functions) to scramble inputs and outputs.

Let’s say we have a step $X$. We choose a random input scrambler $F$ and a random output scrambler $G$. The “white-boxed” version of this step, let’s call it $X’$, works like this:

\[X' = G \circ X \circ F^{-1}\]

When we run this, we are actually:

Unscrambling the input using $F^{-1}$.

Doing the actual work $X$.

Rescrambling the result using $G$.

All three steps are pre-computed into one lookup table. The naked, clean values never exist in memory.

Chaining the Chaos

The cool part is when you chain these steps together. Suppose we have step $X$ followed by step $Y$. We encode $X$ with output scrambler $G$, and we encode $Y$ with input scrambler $G$.

\[X' = G \circ X \circ F^{-1}\] \[Y' = H \circ Y \circ G^{-1}\]

When we run them in a row:

\[Y' \circ X' = (H \circ Y \circ G^{-1}) \circ (G \circ X \circ F^{-1})\]

The $G^{-1}$ and $G$ in the middle cancel each other out!

\[Y' \circ X' = H \circ (Y \circ X) \circ F^{-1}\]

The program gets the right answer ($Y \circ X$), but the data passing in between is totally scrambled by $G$. The attacker just sees gibberish.

Visualizing the Cancellation:

Let me show you a simple example to see the magic.

Step X: “Add 10”.

Step Y: “Subtract 2”.

Scrambler G: “Multiply by 2” (So $G^{-1}$ is “Divide by 2”).

We want to do $X$ then $Y$. The “clean” result for input 5 should be $(5+10)-2 = 13$.

Now, let’s white-box it.

White-Box Step X: Do X, then scramble the output with G.

Logic: $(Input + 10) \times 2$.

Input is 5: $(5+10) \times 2 = 30$.

The value sitting in memory is 30. This is our scrambled secret.

White-Box Step Y: Unscramble with $G^{-1}$, do Y, then scramble again (we’ll skip the last scramble for now).

Logic: $(Input / 2) - 2$.

Input is 30.

Calc: $(30 / 2) - 2 = 15 - 2 = 13$.

See what happened? The “Multiply by 2” and “Divide by 2” cancelled out perfectly. The program got the right answer (13), but the value in the middle (30) hid the real intermediate state (15) from the attacker.

3. The Bad Guys Strike Back

While Chow’s design was brilliant, it’s a constant battle. Attackers eventually figured out ways to crack these designs. As analyzed by Biryukov and Udovenko [2], their goal is to peel back these layers of camouflage.

Differential Computation Analysis (DCA)

Hackers borrowed tricks from hardware hacking. In Side-Channel Attacks (like Power Analysis), they measure how much power a smartcard uses to guess the key.

In the White-Box world, they don’t need to measure power. They can just trace the bits! By running the program loads of times with different inputs and seeing what changes, they can statistically guess the key. It’s surprisingly effective because unlike hardware, software traces are perfect and noiseless [2].

The Algebraic Attack

Since the disguises are often simple math (to save speed), attackers can treat the whole thing like a giant algebra problem.

If the tables look like linear equations, they can just use Gaussian elimination (high school math!) to solve for the disguises, strip them away, and expose the key [2].

4. The Future: Masking and Shuffling

To fight back, modern White-Box designs use Masking, a countermeasure highlighted by Biryukov and Udovenko against these newer attacks [2].

Instead of just encoding values, we split every secret variable into pieces, or “shares”.

\[x = x_1 \oplus x_2 \oplus \dots \oplus x_n\]

The program never touches the real $x$. It works on the pieces independently. To get the secret, an attacker has to find all the pieces at the exact same time. If they miss even one, the data is useless junk.

The challenge now is:

Value Hiding: Make sure the pieces don’t mathematically hint at the secret [2].

Structure Hiding: Shuffle the code and memory so the attacker can’t figure out which pieces go together [2].

Conclusion

White-Box Crypto isn’t unbreakable. Given infinite time and control, a dedicated hacker will crack it. But that’s not the point. The goal is obscurity and delay. We want to make the reverse-engineering process so expensive, difficult, and annoying that it’s just not worth their time.

It’s a digital fortress made of glass—transparent, but hopefully tough enough to keep the secrets safe for as long as we need them.

References

[1] Chow, S., Eisen, P., Johnson, H., & van Oorschot, P. C. (2002). White-Box Cryptography and an AES Implementation. Selected Areas in Cryptography, 250-270.

[2] Biryukov, A., & Udovenko, A. (2018). Attacks and Countermeasures for White-box Designs. Advances in Cryptology – ASIACRYPT 2018, 373-402.

Paylaş

Yorumlar

🔔
Yeni yazılardan haberdar ol! Bildirim al, hiçbir yazıyı kaçırma.