White-Box Cryptography for Cryptographic Key Protection
What is White-Box Cryptography?
The use of encryption has become ubiquitous in virtually all our digital interactions, whether we’re logging into a banking app, making a purchase, or checking email. While encryption is vital, it isn’t enough if underlying cryptographic keys are vulnerable to attackers. However, too often, the protection of cryptographic keys is overlooked, leaving sensitive assets and services exposed.
White-box cryptography represents an important approach for cryptographic key protection. Fundamentally, white-box cryptography is an approach to hiding keys used in general-purpose software implementations. Through white-box cryptography, cryptographic elements are implemented in a way that ensures that, even if a cyber attacker gains full visibility into the cryptographic implementation, they won’t be able to gain access to keys or encrypted resources in the clear.
How Cyber Criminals are Stealing Keys
Exploit hardware-based security storage
Inspect apps in an execution environment under their control
Use malware to steal keys from device memory
Exfiltrate keys embedded in the source code
Compromising unsecured cloud storage
Why Use White-Box Cryptography to Secure Keys
Today, cybercriminals are not trying to break advanced encryption algorithms; they are focused on stealing cryptographic keys used by the application. Further, the reality is that most cryptographic implementations are vulnerable as they do not account for hostile environments. This is especially true in the case of smartphones, where app binaries are readily available in the app stores for hackers to inspect and tamper with.
By leveraging white-box cryptography, security teams can ensure that attackers can’t find and exfiltrate cryptographic keys using reverse-engineering or dynamic inspection techniques. White-box cryptography ensures that the implementation of cryptographic algorithms is secure even if the attacker controls the device and the execution environment.
Zimperium’s zKeyBox uses white-box cryptography to hide and protect cryptographic keys so that they are never revealed in plaintext — even during the execution of cryptographic algorithms. With such security in place, it becomes extremely difficult for attackers to locate, modify, or extract keys.
Where to Use White-box Cryptography
Securing Mobile Apps
In recent years, we’ve seen explosive growth in the use of mobile devices to interact with sensitive data, enterprise apps, and critical infrastructure. This proliferation in mobile device usage offers tremendous benefits for individuals and businesses—and it also introduces unprecedented risks. While many mobile devices and apps employ encryption, these implementations can be vulnerable.
One way to protect cryptographic keys is to use the hardware means of the underlying platform, such as an HSM. That, however, is not available on all devices and different devices offer different features and APIs to access the hardware-backed cryptographic services.
By employing white-box cryptography with zKeyBox, teams can employ strong key security that is hardware agnostic and guards against the vulnerabilities posed by unsupported hardware and compromised devices. This solution transforms and obscures cryptographic algorithms so that keys never appear in the clear and the execution logic is untraceable. Consequently, keys cannot be extracted—even if a mobile device has been compromised.
Migrating to Cloud
Enterprises continue to grow increasingly reliant on cloud services, including for sensitive, business-critical apps and services that need to be encrypted. In migrating encrypted apps from on-premises models to the cloud, many teams struggle to find an optimal approach for retaining control over cryptographic keys and the sensitive assets they’re supposed to secure.
Security-minded organizations choose the hold your own key (HYOK) approach when migrating to the cloud. With this approach, the organization generates, manages, and stores encryption keys in their own environment. The cloud provider does not have access to the keys and can’t access the contents of encrypted files.
Zimperium zKeyBox enables teams to effectively leverage HYOK approaches. The solution leverages white-box cryptography to protect keys and secrets within applications, even when they’re running in multi-tenant, public cloud provider environments.
Why Zimperium for White-Box Cryptography?
Protect any standard or
custom cryptographic algorithm.
Protect your keys
on any platform.
No dependency on
hardware provided by the
underlying platforms.
Pentested regularly to
support regulatory compliance
(PCI, EMVCo, etc.).
High performance across a
wide range of architectures
(32-bit, x86, ARM, etc.).
Deep cryptographic
expertise to guide every
step of your deployment.
Learn About the Mobile Application Protection Suite
Recommended Reading
DZone Trend Report | Enterprise Application Security: Building Secure and Resilient Applications
DZone’s Trend Report for Enterprise Application Security, sponsored by Zimperium, aims to equip developers with the tools, best practices, and advice they need to help implement security at every stage of the SDLC. Download Now.
Top 5 Cryptographic Key Protection Best Practices
Read the top five best practices that developer teams should implement to keep cryptographic keys safer.
