Ask The Experts: White Box Cryptography
The notion of keeping valuable information, such as licensing and trade secrets, hidden while operating in a fully transparent environment poses various challenges. How do I encrypt or decrypt content without directly revealing any portion of the key or the data? How do I perform strong encryption knowing that hackers can observe and/or alter the code during execution?
White box cryptography is an alternative approach to traditional security models. As opposed to implementations where the attacker only had access to a Black box, i.e. access to inputs and outputs and possibly knowledge of the cryptographic algorithm under attack and assumed zero visibility into internal workings, white box allows full visibility of the attacker but still keeps security intact.
For optimal security, it is of paramount importance to ensure that the communication between the protected application and the hardware token is encrypted and cannot be replayed. Unlike in previous implementations which aimed to somehow hide the encryption key though it couldn’t really do it, the new implementation is centered on White box cryptography, where it is assumed that the attacker can trace the protected application and the run-time environment in search for the encryption key. With this assumption as part of the design, the algorithm and encryption keys are replaced with special vendor-specific API libraries that implement the same encryption, but embed the encryption key as part of the algorithm in a way that ensures that it’s never present in the memory and therefore cannot be extracted.
Embedding the white box algorithm into the API libraries is in itself a sensitive process that must not be susceptible to reverse engineering, and as such it has to be performed on remote servers where hacker tools cannot reach. In addition, each application library is individually generated and obfuscated for a specific software vendor – making a generic hack virtually impossible.
Preventing hardware key emulation is of the utmost importance. SafeNet is the first software security company to introduce a solution that keeps this threat at bay by implementing white box cryptography. This innovative approach leverages existing hardware keys, saving customers from going through an expensive phase of replacing keys in the field, and at the same time providing uncompromised security level which is comparable to that provided by asymmetric cryptography.
Software protection must receive specific attention throughout the design and implementation stages in addition to being constantly updated and enhanced as part of the product lifecycle and the release of new versions. White box cryptography is an highly secure approach to secure communication channel implementation, but as important as it is as a building block, ISV’s must make effective use of the higher level tools available to them when integrating the protection.