STE WILLIAMS

Defender or attacker, it’s less than a fortnight away from the WhibOx Challenge, a capture-the-flag (CTF) competition operated by the EU-supported ECRYPT.

If you’re on the defensive side, the CTF asks for white-box implementations of AES-128 (using keys of your own choice), to see how long you last against an attacker.

The challenge for attackers is simple: extract the hard-coded encryption key – and attackers can work either anonymously or under their own names. Moreover, attackers aren’t asked to release their designs, merely to provide the resulting C code.

ECRYPT explains that it’s observed increasing use of homebrew (white-box) crypto for DRM and mobile applications, which means their security relies on keeping their techniques secret “rather than to rely on academic designs”.

Crypto solutions are judged simply against how long they last (measured in “strawberry points”, apparently for no better reason than to call attackers’ scores “banana points”).

Attackers inherit those strawberry points at the point they crack the system, so a system that lasts longer is a better prize, but an attacker that cracks more easy systems faster isn’t denied their advantage.

The submission server opens on May 15. After that, the key dates are:

CryptoExperts wrote the submission server (code here), and during the competition, the server will be operated by the Technical University of Eindhoven. ®

Bootnote: Before commentards rain down “security by obscurity” and “don’t roll your own encryption”: we agree. However, if such things are going to exist – and they are – a hackfest is probably as good a place as any in which to ventilate them. ®

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2017/05/02/whibox_challenge/