Arxan Technologies, Inc.Arxan

Call Us: (301) 968-4290

 
  •  Home 
  •  Products 
      • Desktop and Server Applications
      • Web Applications
      • Embedded Applications
      • License Management Applications
      Application Hardening – GuardIT®
    • Guard Technology
    • Key Protection - TransformIT™
      • Yellow Team Services
      • Application Security Engineering Services
      Professional Services
     
  •  Solutions 
    • Software Protection Solutions
    • Software Protection for Publishers
    • Enterprise Software Security
    • Digital Media Protection
     
  •  Our Company 
    • About Arxan
    • Management Team
    • Industry Awards
    • Career Opportunities
    • Board Members
     
  •  Resources 
    • Case Studies
    • Security White Papers
    • Webinars Series
    • Software Security Events
    • Product Data Sheets
     
  •  News 
    • Press Releases
    • Arxan in the News
    • Industry News
     
  •  Partners 
    • Alliance Partners
    • Investor Partners
     
  •  Contact Arxan 
    • Sales Department
    • General Inquiries
    • Product Support
    • Website Feedback
     
  • Arxan Defense Systems
 

Arxan Technologies, Inc.

  • Press Releases
  • Arxan In the News
  • Industry News
 
FREE CRACKED SOFTWARE INVESTIGATION REPORT
Best Practices for Protecting Intellectual Property
Best Practices Webinars
Contact Arxan

Products

  • Print Page
  • Email Page
Back to Articles

Encryption’s Weak Points

Make Sure Your SME’s Information Is Not In Danger

ProcessorBy Robyn Weisman
Processor
April 25, 2008
Vol.30 Issue 17

A few months ago, a group of researchers at Princeton University published a highly publicized study showing that DRAM (dynamic random-access memory) could be flash-frozen, enabling intruders a way to download encryption keys to hard drives and subsequently exploit information from them.

“Security experts have known about this attack for the better part of 20 years. It’s why customers who are very security-conscious, like banks and governments, require that all keys never leave a high-security hardware module and are never stored in memory, where they could be potentially recovered using the techniques that the Princeton researchers talk about,” says Luther Martin, chief security architect at information encryption solutions provider Voltage Security (www.voltage.com).

For her part, Amena Ali, chief marketing officer at IP security provider Arxan Technologies (www.arxan.com), says that the Princeton study promulgated the notion of what constitutes data protection, where encryption fits in, and the pitfalls of encryption that enterprises need to keep in mind so that they can harden their data protection security setup.

The Takeaway
“There’s always a way to beat any security mechanism,” Martin says. “The job of security vendors is to make sure that it’s difficult enough to defeat their products that a hacker won’t even bother trying.”

Vince Arneja, director of product management at Arxan, says that a paradigm shift is occurring in the information security market. “Security is no longer viewed as being something you implement at the infrastructure, let’s say at the edge with a hardware appliance or software. It needs to be embedded within the application or the data itself,” he says.

How Am I Protecting My Key?
Encryption is a handy first line of defense for protecting information systems against piracy and theft, but its Achilles’ heel takes place at the point of decryption, says Ali. “The decryption key shows its face for a short period of time, and attackers are savvy in terms of launching attacks during the decryption process to figure out what the key is,” she says.

Arneja says hackers try to figure out a way to reverse engineer the application to isolate the key. “Either through memory dumping or through a variety of other mechanisms, they replace the key with a fake key, which allows them rights to that application’s rights that were not intended,” he says.

According to Ali, this key could be guarding an entire repository of e-discovery documents or used in a license management paradigm that gives you access to a certain application as a legitimate customer, says Ali. “The questions I would want to ask myself are, ‘What is this key doing, and how am I protecting it?’”

Breaking Up The Puzzle
“There’s always a way to beat any security mechanism, and the job of security vendors is to make sure that it’s difficult enough to defeat their products that a hacker won’t even bother trying,” says Voltage’s Martin. Given that truism, several techniques are available that, when used in concert with encryption, are effective in frustrating all but the most determined blackhats.

“Obfuscation or confusion of data or code has been around forever, and there are also ways to be proactive by taking a snapshot of your code or instructions and runtime and replace them with the original set,” says Arxan’s Arneja. In addition, a variety of mechanisms work as decoys so that if a hacker has figured out a way through the encryption mechanism, he can be led down the wrong path, he says.

White box cryptography obfuscation solutions take a single decryption operation and break it up into several multipath decompositions with multiple keys, Ali says. “By breaking up the key, you don’t have a single key to compromise,” she says.

“Then you also use technology so the execution traces for the decryption are extremely hard to reassemble because they’re hiding in so many parts of [the] application. It’s like putting together a puzzle without having any idea what the picture looks like,” Ali continues. “You’ve got 1,000 pieces, but you don’t know what you’re looking for.”


  • Home
  • Products
  • Solutions
  • Our Company
  • Resources
  • Support
  • Contact Us
  • Arxan Defense Systems
  • Feedback
  • General Inquiries
  • Legal Notices
  • Trademarks
  • Site Map
  • Privacy Policy

© Copyright 2008 Arxan Technologies, Inc. All rights reserved.