White-box cryptography uses encryption, obfuscation, and mathematical transformations to secure keys and critical data inside applications running in untrusted environments. Common practice is not to assume cryptographic keys will be stored in untrusted environments, making them vulnerable to application attacks, such as reverse engineering.
If an app processes encrypted content, it needs to use a key to decrypt incoming traffic and encrypt outgoing traffic. This encryption and decryption is managed by functions inside the code of the application. If an app’s code is reverse engineered, and the cipher keys are unprotected, the keys used to encrypt/decrypt content can be discovered and provide a bad actor what they need to decipher encrypted information. Data resident in the app can be compromised along with all incoming and outgoing communications the app uses to interact with back office systems.
Once cipher keys are uncovered, they can be copied, re-distributed, and used maliciously. Detecting misuse of compromised keys is nearly impossible since they will be used through seemingly legitimate traffic. Once compromised, remediating a key breach is time and resource-intensive and will require re-keying and updating every app and process using those keys.
Unsecured cipher keys are a threat vector that must be remediated, since existing data protection methods were not designed to defend keys from being discovered via reverse engineering or compromised app code. White-box cryptography was introduced to make it possible to provide secure cryptographic implementations in apps where attackers can manipulate the code and data at will.
What is White-Box Cryptography
White-box cryptography is a way to get the same output for a given input as a normal cryptographic implementation, but the internals of how it is done are completely different from a standard crypto implementation. As a result the cipher keys are not revealed, and it becomes very difficult for an attacker to understand what is happening. Maintaining the confidentiality of the key is how the data remains secure.
How White-Box Cryptography Works
White-box cryptography uses mathematical techniques and transformations, to blend together app code and keys to secure cryptographic operations. This prevents those keys from being found or extracted from the app. The way each white-box cryptography implementation works is unique and generally confidential to the creator. Different white-box implementations include different protections against attacks, especially as new attacks against older white-box implementations are developed. White-box implementations can include protections against static analysis, runtime code modifications, timing attacks, and fault injection, among others.
Arxan Key & Data Protection
Arxan’s Key & Data Protection encrypts static and dynamic keys, as well as sensitive application data, by keeping the most critical elements out of sight and hardened against attackers. Arxan supports all major cryptographic algorithms and modes while requiring only a minimal code footprint to achieve optimal application performance.