Software Security and White-box Cryptography

Saturday November 30th, 2019 at 2:30 p.m. Dr. Sk Md Mizanur Rahman, professor in the department of Information and Communication Engineering Technology, School of Engineering Technology and Applied Science, Centennial College, will be presenting “Software Security and White-box Cryptography”.

Day & Time: Saturday November 30th, 2019
2:30 p.m. ‐ 3:30 p.m.

Speaker: Dr. Sk Md Mizanur Rahman
Professor, Department of Information and Communication Engineering Technology, School of Engineering Technology and Applied Science, Centennial College

Organizers: IEEE Toronto Systems Chapter

Location: Centennial College
941 Progress Avenue
Toronto, Ontario
Canada M1G 3T8
Room Number: PR A3-15

Contact: Dr. Mehrdad Tirandazian

Abstract: Traditionally, cryptographic implementations are mainly designed to resist black-box attack without considering grey-box or white-box attacks. In a black-box attack model, an adversary tries to deduce the cryptographic key by knowing the algorithm and analyzing only inputs and outputs without the execution being visible. It is assumed that the adversaries know what family of cryptographic algorithm they are targeting (e.g., AES, DES, RSA, etc.), but all other details (e.g. execution time, power consumption, memory accesses) are unavailable to them. In fact, a black-box attacker treats a cryptographic implementation as a mathematical function. On the other hand, a white-box attacker is a much more powerful type of adversary and is able to analyze all parts of the implementation. Rather than just study inputs and outputs, a white-box attacker can see everything that goes on inside the implementation. For example, if the attackers are targeting cryptographic software running on, say, a PC or mobile phone, then they can execute that software inside a debugger and examine memory and register values during the execution. In a grey-box attack scenario, it is assumed that an attacker has limited knowledge of the security assets and methods (more that a black-box attacker) but does not have access to source code or detail design information. Therefore, based on the severity of an attack, the above attack models can be categorized as white-box > grey-box > black-box. In this presentation, a brief discussion will be given on white-box implementations of the existing cryptographic algorithms.

Biography:
Dr. Sk Md Mizanur Rahman is a fulltime professor in the department of Information and Communication Engineering Technology, School of Engineering Technology and Applied Science, Centennial College. Prior to his current appointment, he worked as an Assistant Professor for five years in the Information Systems Department at the College of Computer and Information Sciences, King Saud University. He also worked for several years in cryptography and security engineering in the high-tech industry in Ottawa, Canada. In addition, he worked as a postdoctoral researcher for several years at the University of Ottawa, University of Ontario Institute of Technology (UOIT), and University of Guelph, Canada. He completed a Ph.D. in Engineering (Major: Cybersecurity Risk Engineering) in the Laboratory of Cryptography and Information Security, Department of Risk Engineering, University of Tsukuba, Japan, in 2007. The Information Processing Society Japan (IPSJ) awarded Dr. Rahman its Digital Courier Funai Young researcher Encouragement Award for his excellent contributions to IT security research. He is awarded a Gold Medal for distinction in his undergraduate and graduate programs. He has published approximately one-hundred peer reviewed journal and conference research articles. Also, he has a granted industrial patent (US Patent) on cryptographic key generation and protection. Dr. Rahman’s primary research interests are cryptographic protocol design, white-box cryptography, software and network security, reverse engineering and ethical hacking, privacy enhancing technology, sensor and mobile ad-hoc network security, cloud and the Internet of Things (IoT) security, machine learning in information security.