Cryptographic Key Protection
Encryption is Not Enough
Applications across all platforms use cryptography to secure data at rest and in motion. Cryptographic keys play an essential part in encrypting and decrypting the data. The cryptographic algorithm is analogous to a vault, and the keys are equivalent to the combination of a safe. The length of the combination here represents the length of the key (Ex, 128 bit, 256 bit), so the longer the combination, the more challenging it is to brute force.
But cybercriminals today are not trying to break into the vault. They are focused on stealing the combination, i.e., your encryption key. And most enterprises are highly vulnerable to key-focussed attacks for two big reasons:
- Poor implementations of encryption that don’t account for hostile environments
- Poor practices lead to key exposure when storing and using keys
How Cybercriminals are Stealing Keys
Exploit poor Key Management practices
Exploit hardware-based security storage
Inspect apps in an execution environment under their control
Use malware to steal keys from device memory
Exfiltrate keys embedded in the source code
Compromising unsecured cloud storage
Secure Your Cryptographic Keys with White-Box Cryptography
Zimperium zKeyBox leverages white-box cryptography to protect keys and secrets within your mobile application. Fundamentally, white-box cryptography is an approach to hiding keys used in general-purpose software implementations. It transforms and obscures cryptographic algorithms so that keys never appear in the clear and the execution logic is untraceable. Your keys cannot be extracted—even if the device itself has been compromised. Key benefits include:
- Supports All Standard & Custom Algorithms. Agnostic security works on all platforms and devices. Protect any cryptographic algorithm such as AES, 3DES, RSA, ECC, HMAC, etc. Custom algorithm support is also available.
- No Hardware Dependency. No dependency on any hardware based mechanisms provided by the platforms. (Ex. Keystores, Secure Enclave, Trusted Execution Environment (TEE) on Android)
- Protect Keys When Stored, In Transit, and In Use. Keep keys safe at all times, even on compromised, jailbroken, or rooted devices. Keys are never exposed in memory; algorithms operate directly on encoded keys.
Platforms Supported
Why Zimperium for Cryptographic Key Protection
Simple Deployment & Integration
zKeyBox is simple to integrate and offers plug-and-play replacement for standard cryptographic libraries.
Built-In Support for Regulations
Supports DUKPT key management, TR-31 key blocks, and separation of payment card and PIN data as specified by PCI-DSS.
Integrated Security Suite
zKeyBox is part of our Mobile App Protection Suite, the only unified platform with centralized visibility and comprehensive in-app protection.
“ToothPic’s mission is to help companies to enhance the security of their digital services through our unique technology. We were looking for a technological partner who shared our same goal and Zimperium turned out to be the perfect one to collaborate with. The integration of Zimperium’s zKeyBox in our Key Protection SDK has strengthened the robustness of our technology. Together we brought the security to the next level, offering on the market a solution never seen before.”
– Giulio Coluccia, CEO & Co-Founder of ToothPic
Recommended Reading
Top 5 Cryptographic Key Protection Best Practices
Read the top five best practices that developer teams should implement to keep cryptographic keys safer.
How to Make Mobile Payments Frictionless, Open and Secure for Everyone
Speakers: Andrew Cole (Chief Financial Officer of Felix Payment Systems), Noah Fitzgerald (Chief Operations Officer of Felix Payment Systems), & Krishna Vishnubhotla (VP of Product Strategy at Zimperium)
Complying with the PCI CPoC Standard
Download our report for an in-depth look at PCI CPoC requirements and how to meet them.