You missed the point. maria2 is talking about whitebox crypto. The "whitebox" part means that the decryption process happens on your machine incuding the secrets, which are present in some obfuscated scrambled form in memory. Getting the secret key is a matter of debugging and understanding the obfuscation scheme. A prime example of this is DRM like Widevine (L3) in the chrome browser.
I am really failing to understand the distinction here. Encryption with say, AES has very different properties and use cases compared to an obfuscation scheme. You can use encryption as a part of an obfuscation scheme, but obfuscation is a shell game, all the way down. Crypto is not, mathematically. They are categorically different things, right?
Obfuscation with encryption can be done with good ciphers, like AES, but the key is still shipped with the code, so it's still just cat and mouse.
It's a little different if the key is hardware specific, so each binary only runs on one system and it's hard to extract the keys, but that's not a typical setup. Usually it's this code needs to run on the general public's computers or phones, and that's too general a target to rely on hardware crypto.
You missed the point. maria2 is talking about whitebox crypto. The "whitebox" part means that the decryption process happens on your machine incuding the secrets, which are present in some obfuscated scrambled form in memory. Getting the secret key is a matter of debugging and understanding the obfuscation scheme. A prime example of this is DRM like Widevine (L3) in the chrome browser.
I am really failing to understand the distinction here. Encryption with say, AES has very different properties and use cases compared to an obfuscation scheme. You can use encryption as a part of an obfuscation scheme, but obfuscation is a shell game, all the way down. Crypto is not, mathematically. They are categorically different things, right?
Obfuscation with encryption can be done with good ciphers, like AES, but the key is still shipped with the code, so it's still just cat and mouse.
It's a little different if the key is hardware specific, so each binary only runs on one system and it's hard to extract the keys, but that's not a typical setup. Usually it's this code needs to run on the general public's computers or phones, and that's too general a target to rely on hardware crypto.
The key specifier word was "whitebox". They aren't speaking generally about cryptography.
The math is irrelevant when the key is known to all parties.
1 reply →