White box cryptography software protection
SafeNet announced a software protection solution that includes white box cryptography. The SafeNet Sentinel portfolio of software licensing and protection solutions now includes new functionality that protects security algorithms from attacks in “white box” environments, where attackers traditionally have been able to freely observe and alter dynamic code execution and internal algorithm details at will.
Traditionally, in software protection, cryptography has been virtually performed directly in front of the eyes of the attacker. There hasn’t been a black box protecting the secret keys and as such, the application’s execution can be monitored step by step with all accessed data is visible. In order to better secure and keep the secret keys out of harm’s way, a different approach needs to be taken.
“Our white box solution assumes that attackers have full visibility. It replaces the exposed algorithm and encryption keys with special application libraries that minimize the attack surface,” said Michael Zunke, CTO, Software Monetization Solutions, SafeNet. “This methodology ensures that the protected keys remains hidden from hackers and are less susceptible to reconstruction during attacks.”
With SafeNet’s white box solution, communication between protected applications and hardware tokens is encrypted, ensuring that the data passing through the secure channel cannot be replayed.
Unlike traditional solutions that simply aim to hide encryption keys, SafeNet’s implementation is centered on white box cryptography, which assumes that attackers can trace protected applications and run-time environments in search of encryption keys.
With this assumption as part of the design, the algorithm and encryption keys are replaced with proprietary API libraries that implement the same encryption but embed the encryption key as part of the algorithm in a way that ensures it is never present in memory and, therefore, cannot be extracted. Each application library is uniquely generated and obfuscated for each specific software vendor customer, making generic hacks virtually impossible to execute.
“Given the sophistication and level of today’s security breaches, it’s imperative that software vendors pay specific attention to software protection throughout the design and implementation stages, and continuously enhance it as part of the product lifecycle,” continued Zunke. “SafeNet’s software protection solutions allow ISVs to easily integrate a wide range of security measures, including white box cryptography, as part of their design directly at the source code level, further strengthening the overall protection scheme for the software vendor.”