Field
The Advanced Encryption Standard (AES) cipher can be performed in a manner that preserves the secrecy of cryptographic keys, even under the intense scrutiny of a reverse-engineer observing every aspect of the computation.
Description of the Related Art
The Advanced Encryption Standard (AES) is a symmetric block cipher believed to offer a high degree of security. This assertion is supported by the inclusion of AES as the basis for all symmetric-block and stream ciphers in the National Institute of Science and Technology (NIST) Suite B Cryptography specification.
As with all cryptographic primitives, AES primitives are designed with the assumption that the AES computations will be performed in private, such that an adversary can observe, at most, the input and output of the primitive. This assumption of privacy-during-computation is made in the design of every established cryptographic cipher. Unfortunately, such private places to execute software rarely exist; vulnerabilities are frequently uncovered that compromise assumed-secure networked servers (most recently, “Heartbleed” for OpenSSL); physical devices are routinely reverse-engineered by amateur-enthusiasts, academics in security fields, and commercial competitors, many with surprising access to expensive reverse-engineering technology and tools.
For example, a reverse-engineer watching the computations of a traditional AES implementation will see the key being loaded into memory to construct the AES Key Schedule. The reverse engineer can simply extract the key from memory, and subsequently encrypt/decrypt, eavesdrop on secure sessions, or forge digital signatures as if s/he were the authentic version of the compromised server or device.
“White-box” AES implementations that may attempt to address the above issues are not frequently published because of an expectation that publication may lead to their compromise. The white-box cryptography designs by Chow and Eisen of Cloakware are believed to have been published in the academic literature. The white-box AES implementation of Intertrust is based on a multi-channel finite-state automaton source-code transformation of a traditional AES implementation. Such “white-box” techniques are typically understood in the academic community to be obfuscated variants of the original ciphers.
Additionally, general anti-reverse-engineering protections can be applied over standard cryptographic implementations to help secure key material, particularly if keys are reconstructed from source material just-in-time before use. Machine-code level obfuscation, including instruction re-writing, basic block shuffling, and artificial path-merging, as well as anti-tampering protection can be added to arbitrary software. Multiple language- and platform-specific tools can offer the same machine-code level obfuscations. These automated machine-code obfuscation techniques typically have performance impacts, and are typically restricted to software implementations
Another option for securing keys is to execute the cryptography on a secure processor/Hardware Security Module (HSM). This approach typically is only applicable to server hardware. One cannot expect, for example, the average consumer of digital content to install a HSM in each content-consuming device in their home. HSMs are high cost, and depreciate as cryptography standards or hardware technologies change. Secure processors and HSMs are also subject to the same amateur-enthusiasts, academics, and commercial competitors as above, potentially rendering a hardware investment insecure with no path to remediation.
A related option is to encapsulate devices in security enclosures, whether at the chip, board, device, or assembly level. This approach is typically costly, as a custom-engineered security enclosure must typically be fit to the device in question. Such physical security comes with a side effect of fragility, and so this approach also introduces logistical concerns during shipping and field-maintenance/returned-merchandise support.
Thus, the security proofs that make traditional cryptography a valuable tool may hang on a premise that is not attained in reality. Alternatively, attempting to provide such security may result in performance compromises or limited areas of implementation.