Cryptographic Key Protection
Cryptography is at the heart of secure communication worldwide, and has become an indispensable protection mechanism for securing systems, communications and applications. Cryptographic keys are the fundamental building block of this protection mechanism.
What is White-Box Cryptography?
The term “white-box cryptography” (WBC) describes a secure implementation of cryptographic algorithms in an execution environment, such as on a desktop computer or a mobile device, which is fully observable and modifiable by an attacker. White-box cryptography is intended for any security system that employs cryptographic algorithms and keys, and that is executed in an open and untrusted environment, such as on a desktop computer, mobile device, or embedded system.
A Cryptographic Key is used to:
- Protect digital assets, including media, software and devices
- Encrypt user licenses
- Bind devices
- Prove identity
- Secure communication against eavesdroppers
- Protect Host Card Emulation (HCE)
Watch the short video to learn:
- How cryptographic keys are being used in a variety of applications
- Techniques hackers are leveraging to steal keys
- Arxan’s unique approach to cryptographic key protection
Keys are the critical component for securing systems, communication and applications, and therefore must be protected at all times. Examples of such systems are Digital Rights Management clients, Conditional Access Systems, game consoles, and set-top boxes.
While offering strong protection, cryptography makes the assumption that cryptographic keys are kept absolutely secret. This assumption is very difficult to guarantee in real life since applications and systems can be compromised relatively easily. Access to digital content, data and information systems is commonly protected by encryption, a first line of defense. However encryption has a single point of failure – the instance at which the decryption key is used. This point is easily identifiable through signature patterns and cryptographic routines. Once found, an attacker can easily navigate to where the keys will (typically) be constructed in memory. Subsequently, fatal exploits can be easily created.
Arxan’s White-Box Cryptography Solution
Arxan provides the strongest and most robust white-box cryptography solution. Our solution protects:
- Static keys – Embedded in an application when it ships
- Dynamic keys – Generated on the fly at run-time
- Sensitive user-data
Our solution offers a range of technical benefits:
- It offers stronger security than any other white-box cryptography solution
- Supports all major cryptography standards and functionality
- Offers a smaller footprint than other white-box cryptography solutions
- Delivers better performance
Our Solution, TransformIT®, is a sophisticated implementation of white-box cryptography. It combines mathematical algorithm with data and code obfuscation techniques to transform the key and related operations so keys cannot be discovered. The keys are never present in static form or in memory at runtime.
TransformIT® works by clearly separating the data into two domains:
- Open Domain – Contains data that the application needs to access. All code and data can be understood by the attacker
- Encrypted Domain – Contains keys, cryptographic routines and any sensitive data
This approach, from an attackers point of view, makes it impossible to meaningfully interpret the data within the encrypted domain.
TransformIT® works in conjunction with our patented guarding technology to provide comprehensive protection. It:
- Provides keys in white-box form for use in the cryptographic operations performed
- Allows both obfuscation and encryption on sensitive data and chained-together cryptographic operations, to reduce or remove the possibility of a successful attack.
Download the Securing Cryptographic Keys White Paper to learn more.
How is TransformIT Implemented?:
- Step 1: Create the Crypto Key Representation
- Step 2: Compile TransformIT library into application
- Step 3: Harden with Guards
- Step 4: Deploy hardened application with TransformIT and transformed key