Intertrust launches enterprise-ready white-box cryptography solution for web apps

Intertrust announced the launch of whiteCryption Secure Key Box (SKB) for Web at the RSA Conference 2020. The first and only enterprise-ready white-box cryptography solution for web applications, it ensures that web apps can be used without fear of exposing the underlying keys and credentials to cyberattack.

SKB for Web brings Intertrust’s proven whiteCryption white-box technology, which prevents hackers from extracting keys using either static or dynamic methods, to web applications. SKB for Web is delivered as a JavaScript consumable API that securely performs all common cryptographic functions.

It protects cryptographic keys even when running on a compromised host, and provides stronger and broader protection than low-level interfaces, such as the Web Crypto API, which do not secure against side-channel and other attacks running outside the browser.

“A lot of people think that by using cryptography they are securing their systems, but what they often don’t realize is that they are merely shifting the problem of data protection to protecting the keys,” said Bill Horne, general manager of the Secure Systems product group at Intertrust.

“Secure Key Box for Web prevents hackers from stealing keys from Web applications, resisting existing and future side-channel and fault injection attacks with ‘drop-in and go’ ease that requires no additional operations or protocols.”

Information shared via a browser often needs to be encrypted to ensure rogue actors cannot access proprietary data and systems, impersonate a legitimate user, generate fraudulent digital signatures, or modify or create entirely false data and transactions.

However, with the skyrocketing growth of applications running on mobile devices, as well as the overall migration of applications to the cloud and the use of JavaScript, there are a host of downstream impacts and new risk vectors that expose the cryptographic keys that protect this information from theft.

For example, applications increasingly use APIs to interact with server-side applications, yet browser APIs and third-party cryptographic libraries cannot protect keys from attacks on the underlying host without having access to underlying hardware security support.

Hackers are able to obtain keys through various techniques including scanning memory at runtime for keys, or examining code to find hard-coded keys, and then employ the same key in attacks against the server.

Horne explained, “SKB for Web makes it extremely difficult for an attacker to reverse engineer apps or extract key information even when the Javascript source code of the implementation is available.”

The solution prevents application attacks by enabling standard cryptographic functions to be performed without the keys ever being exposed whether in use or at rest. SKB for Web also protects keys and credentials from side-channel attacks by making them safe from exploits running within the browser, as well as natively on the PC or device.