White-Box Cryptography for Cryptographic Key Protection

What is White-Box Cryptography?

The use of encryption has become ubiquitous in virtually all our digital interactions, whether we’re logging into a banking app, making a purchase, or checking email. While encryption is vital, it isn’t enough if underlying cryptographic keys are vulnerable to attackers. However, too often, the protection of cryptographic keys is overlooked, leaving sensitive assets and services exposed.

White-box cryptography represents an important approach for cryptographic key protection. Fundamentally, white-box cryptography is an approach to hiding keys used in general-purpose software implementations. Through white-box cryptography, cryptographic elements are implemented in a way that ensures that, even if a cyber attacker gains full visibility into the cryptographic implementation, they won’t be able to gain access to keys or encrypted resources in the clear.

Zimperium Zkeybox Digital Key Box

How Cyber Criminals are Stealing Keys

zKeyBox_icon_3_security_storage

Exploit hardware-based security storage

zKeyBox_icon_3_inspect_apps

Inspect apps in an execution environment under their control

zKeyBox_icon_3_steal_keys

Use malware to steal keys from device memory

zKeyBox_icon_3_exfiltrate_keys

Exfiltrate keys embedded in the source code

zKeyBox_icon_3_unsecured_cloud

Compromising unsecured cloud storage

zKeyBox_icon_3_exploit_keymanagement

Why Use White-Box Cryptography to Secure Keys

Today, cybercriminals are not trying to break advanced encryption algorithms; they are focused on stealing cryptographic keys used by the application. Further, the reality is that most cryptographic implementations are vulnerable as they do not account for hostile environments. This is especially true in the case of smartphones, where app binaries are readily available in the app stores for hackers to inspect and tamper with.

By leveraging white-box cryptography, security teams can ensure that attackers can’t find and exfiltrate cryptographic keys using reverse-engineering or dynamic inspection techniques. White-box cryptography ensures that the implementation of cryptographic algorithms is secure even if the attacker controls the device and the execution environment.

Zimperium’s zKeyBox uses white-box cryptography to hide and protect cryptographic keys so that they are never revealed in plaintext — even during the execution of cryptographic algorithms. With such security in place, it becomes extremely difficult for attackers to locate, modify, or extract keys.

Learn More

Where to Use White-box Cryptography

Securing Mobile Apps

In recent years, we’ve seen explosive growth in the use of mobile devices to interact with sensitive data, enterprise apps, and critical infrastructure. This proliferation in mobile device usage offers tremendous benefits for individuals and businesses—and it also introduces unprecedented risks. While many mobile devices and apps employ encryption, these implementations can be vulnerable.

One way to protect cryptographic keys is to use the hardware means of the underlying platform, such as an HSM. That, however, is not available on all devices and different devices offer different features and APIs to access the hardware-backed cryptographic services.

By employing white-box cryptography with zKeyBox, teams can employ strong key security that is hardware agnostic and guards against the vulnerabilities posed by unsupported hardware and compromised devices. This solution transforms and obscures cryptographic algorithms so that keys never appear in the clear and the execution logic is untraceable. Consequently, keys cannot be extracted—even if a mobile device has been compromised.

Migrating to Cloud

Enterprises continue to grow increasingly reliant on cloud services, including for sensitive, business-critical apps and services that need to be encrypted. In migrating encrypted apps from on-premises models to the cloud, many teams struggle to find an optimal approach for retaining control over cryptographic keys and the sensitive assets they’re supposed to secure.

Security-minded organizations choose the hold your own key (HYOK) approach when migrating to the cloud. With this approach, the organization generates, manages, and stores encryption keys in their own environment. The cloud provider does not have access to the keys and can’t access the contents of encrypted files.

Zimperium zKeyBox enables teams to effectively leverage HYOK approaches. The solution leverages white-box cryptography to protect keys and secrets within applications, even when they’re running in multi-tenant, public cloud provider environments.

Why Zimperium for White-Box Cryptography?

Protect any standard or
custom
cryptographic algorithm.

Protect your keys
on any platform.

No dependency on
hardware
provided by the
underlying platforms.

Pentested regularly to
support regulatory compliance
(PCI, EMVCo, etc.).

High performance across a
wide range of architectures
(32-bit, x86, ARM, etc.).

Deep cryptographic
expertise
to guide every
step of your deployment.

Learn About the Mobile Application Protection Suite

Read More
Recommended Reading

DZone Trend Report | Enterprise Application Security: Building Secure and Resilient Applications

DZone’s Trend Report for Enterprise Application Security, sponsored by Zimperium, aims to equip developers with the tools, best practices, and advice they need to help implement security at every stage of the SDLC. Download Now.  

Top 5 Cryptographic Key Protection Best Practices

Read the top five best practices that developer teams should implement to keep cryptographic keys safer.

zKeyBox | Conceal & Obscure your Keys

Sign Up For Our Newsletter

Get the latest Mobile Security News and Updates in your inbox

Get started with Zimperium today