Call Us: (301) 968-4290
Defense-in-Depth for Keys
Information Security-Encryption
Encryption is widely used to prevent unauthorized access to data and information systems, and to protect digital intellectual property against piracy and theft,” said Diana Kelley, Partner at SecurityCurve. “However, one critical point of failure in such systems is the instance at which the key is revealed and used. This point is identifiable through signature patterns and cryptographic routines. Once found, they direct an attacker straight to where the keys will typically be constructed in memory. Subsequently, fatal exploits can be created and used.
Cryptography forms the basis of information security infrastructure. Data encryption, network traffic encryption, PKI-based authentication and digital signatures all depend on the underlying confidentiality of secret keys and integrity of public certificate authority keys to function as intended. When keys are compromised, information security systems cannot protect data.
Perimeter security measures such as firewalls, secure remote access and anti-virus utilities provide a first line of defense for data. However, they are ineffective by themselves in protecting enterprises against today’s targeted application-based attacks. Additionally, perimeter security measures cannot protect client-side applications against compromise. Accordingly, experts today are recommending that companies focus on securing applications themselves.
Arxan provides key transformation technology, TransformIT, to specifically protect secret and public keys against targeted discovery and replacement exploits. This provides a first layer of defense against data theft attacks. Arxan’s application hardening technology, GuardIT, complements this key protection, fortifying the overall application against tampering, reverse engineering, malware invasion, intellectual property (IP) theft and other forms of compromise.
Information System Security Challenges
Authentication, data encryption, and hashing (or signing) are fundamental tools in the enterprise’s information security arsenal. Specifically, PKI (Public key infrastructure) cryptography is a common application of encryption for information security, and forms the basis for SSL and code signing.
Security of these tools is predicated on the confidentiality of server, client and certificate authority (CA) of private keys, as well as on the integrity of the application’s copy of corresponding public keys.
- Discovery of the secret or private keys. This can lead to extraction or theft of private keys which then exposes you to a wide variety of risks including;
- Unrestricted Access by a malicious party to confidential data. For example, this can be done by a hacker enabling spoofed A2A (application to application) authentication.
- Eavesdropping on sensitive communication. For example, gaining access via a compromised SSL (secure socket layer) channels.
- Impersonation or Modification of signed documents or tampering of signed code.
- Tampering of Public Key or List of Trusted Certificate Authorities.
Public keys are often seen as inviolate and permanently safe. However, a computer application only knows a public key as a string of alphanumeric characters. Hackers can replace an application’s copy of a public key with an arbitrary public key, or add a malicious public key can be added to an application’s list of trusted certificate authorities.
Public key tampering attacks are particularly relevant to client applications, but are also pertinent to server-side applications due to the threat of insider attacks. Tampered public keys threaten e-commerce and m-commerce transactions with spoofing, phishing and denial of service attacks. They also enable code tampering attacks and subversion of authentication safeguards.
Learn more about the threats your enterprise data security applications face and how Arxan’s Guard technology with our white box cryptography security solution, TransformIT, helps you meet your compliance and security goals, as well as fiduciary responsibilities.
