White-Box Cryptography: An Introduction

Cryptographic keys are needed for cyber countermeasures to be secure. Without them, even the most sophisticated encryption ciphers become useless.

You are not alone if you are unfamiliar with white-box cryptography. An informal survey conducted on cryptographic key protection at last year’s RSA Security Conference (2020) revealed that less than 10% of the audience had ever heard of it, let alone knew what it was or could accomplish.

Cryptographic keys are required to secure cyber defenses; without them, even the finest encryption ciphers become ineffective. White-box cryptography is a technique of securing cryptographic keys that are implemented in software and may be used instead of or in addition to hardware-based key security. It uses encryption, obfuscation, and mathematical transformation methods to conceal cryptographic keys and algorithms, ensuring that they stay secure even if the software or a device is hacked.

Before we get into the specifics of what it means, let us go over some background information.

What Is Cryptography?

To put it simply, cryptography is the process of concealing vital information from malevolent users while effectively transmitting data to a target destination.

For the most part, cryptography is the process of converting unencrypted simple/plain texts into ciphertext (a process known as encryption) and then reversing the process (known as decryption).

What Is White-box Cryptography, and How Does It Work?

White-box cryptography performs the same functions as conventional algorithms without disclosing the intermediate values. It conceals and combines an algorithm’s underlying data and execution flow, making it very difficult to identify and classify cryptographic keys. The credentials and processing mechanism of a “standard” cryptographic system are easily identifiable and not tamper-proof. In contrast, in a well-designed white-box system, keys cannot be retrieved. Efforts to alter code result in the executable being broken.

Why Is It Necessary to Use White-box Cryptography?

Almost every digital transaction must be encrypted in order to be safe. For example, encryption is required to safeguard financial data sent during an online transaction, patient information submitted through a medical device, and material broadcast via an OTT video provider. Cryptographic keys are used by any software program that processes encrypted data to decrypt received data and encrypt outbound data. Unfortunately, through memory analysis, reverse engineering, side-channel exploits, and other hacking methods, unprotected keys may be readily extracted from a program.

Typically, cryptographic operations have been protected via the use of hardware components such as trusted platform modules (TPMs), hardware security modules (HSMs), trusted execution environments (TEE), and Secure Enclaves (SEs). These are referred to as black-box models because their interior workings are effectively concealed from the viewer. However, reverse engineering a hardware module and analyzing or manipulating its internal data is challenging and costly for attackers.

The targeted software may be installed and executed in a compromised environment, including a rooted or jailbroken device. For this reason, we need white-box cryptography. It is based on the worst-case scenario. A hacker has complete control of the operating system and the inner dynamics of a visible and changeable algorithm. The issue then becomes how to maintain the security of cryptographic keys in such an untrustworthy environment.

How Is White-box Cryptography Different from Code Obfuscation?

While white-box cryptography implements obfuscation methods, it is not synonymous with code obfuscation. Simply, code obfuscation is the process of transforming code in such a way that it becomes exceedingly difficult to analyze. White-box cryptography goes beyond that; it employs additional data transformation methods targeted particularly at safeguarding cryptographic algorithm software implementations. As a consequence, secret cryptographic keys are always safe and concealed.

Where Does White-box Cryptography Come into Play?

Today’s apps include an increasing amount of sensitive data, making them appealing attack targets. Simultaneously, they are deployed on unprotected endpoints that must be assumed to be hacked. As a result, developers must provide programs to secure their cryptographic techniques and keys regardless of where they execute. White-box cryptography has established itself as the gold standard for delivering this level of security without requiring hardware support.

Numerous software applications that store and handle sensitive data benefit from white-box cryptography. In specific sectors, it is a crucial component of their security policy. Here are a few examples of particular applications.

Contactless NFC Payments

The latest mobile payment apps use near field communication (NFC) technology to transform ordinary, commercially available phones into contactless payment terminals. These are game-changers for companies, particularly those with limited resources, to invest in specialist point-of-sale systems. However, security is a primary issue. The Payment Card Industry Security Standards Council (PCI SSC) has concluded that white-box cryptography is the optimal method for ensuring highly flexible data protection for cryptographic keys in such applications, regardless of the device they run.

OTT Platforms

The rise of over-the-top video services has created a similar difficulty for those tasked with protecting video material from hackers while simultaneously guaranteeing ease of access and a pleasant watching experience for paying consumers. White-box cryptography applies to both apps and set-top boxes used by OTT video providers to deliver content.

Medical Applications

Medical device data is encrypted and sent using a compact cipher. Additionally, the data may be signed to guarantee its integrity. Generally, a key is secure inside the boundaries of a medical device as well as on cloud servers. The program or apps functioning on the smartphone or desktop PC is the weakest link. White-box cryptography safeguards the decryption and signing keys, ensuring that no medical data is stolen or tampered with.

Thus, white-box cryptography is a critical component of any software security approach. This technique enables cryptographic operations to be performed without disclosing any sensitive information, including the cryptographic key. Without this, attackers may effortlessly steal encryption data from the binary architecture, memory, or information intercepted during execution.