Banner Default Image

White Box Cryptography

Thales is the first to offer White box cryptography as an integral part of its Sentinel portfolio of software licensing solutions

Cryptographic key discovery is one of today’s most prevalent threats in the DRM arena. It is therefore critical to protect those keys to such an extent that repeatable, reproducible and sustainable attacks cannot be easily and consistently generated against these implementations. White box cryptography is believed to be the “silver bullet” to cryptographic key discovery vulnerabilities. White box cryptography is an important aspect to the strategy of the cryptographic key protection, but it is also necessary to protect the secured application in which the keys are used.

The Methodology Behind White Box Cryptography

The white box scenario, in contrast with black and gray box scenarios, handles far more severe threats while assuming hackers have full visibility and control over the whole operation. Hackers can freely observe dynamic code execution (with instantiated cryptographic keys) and internal algorithm details are completely visible and alterable at will. Despite this fully transparent methodology, white box cryptography integrates the cipher in a way that does not reveal the key.

It allows protecting the cryptographic key at all times, rather than breaking it up and revealing it only a piece at a time. From a security perspective, this ensures that the protected key remains hidden from hackers and is therefore not susceptible to reconstruction during a potential attack process.

An Integral Part of Thales's Security Measures

Thales is the first to offer white box cryptography as an integral part of its Sentinel portfolio of software licensing solutions. The secure communication channel provided by Thales's Sentinel products ensures that the communication between the protected application and the hardware token is encrypted and cannot be replayed. Unlike the previous implementation which aimed to hide the encryption key, the new implementation is centered on white box cryptography, where it is assumed that the attacker can trace the protected application and the runtime environment, in search for the encryption key.

With this assumption as part of the design, the algorithm and encryption keys are replaced with special vendor-specific API libraries that implement the same encryption, but embed the encryption key as part of the algorithm, in a way that ensures that it’s never present in the memory and therefore cannot be extracted. The generation of the vendor-specific libraries is performed on Thales servers utilizing several trade secrets. In addition, each application library is individually generated and obfuscated for a specific software vendor - making a generic hack virtually impossible.

Beyond White Box Cryptography - A Complete Security Strategy

White box cryptography is an important aspect to the strategy of the cryptographic key protection, but it is also necessary to protect the secured application in which the keys are used. To do so robustly and in a performance-efficient manner, several static and dynamic reverse-engineering mechanisms should be employed. Additional protection tools such as obfuscation and enveloping are critical to comprehensive security. Sentinel’s award-winning family of licensing solutions leverage various protection algorithms and mechanisms that keep your software covered on all fronts. To do so robustly and in a performance-efficient manner, several static and dynamic reverse-engineering mechanisms should be employed.

Additional protection tools such as obfuscation and enveloping are critical to comprehensive security. It is important to consider the full spectrum of threats to the application and protect it accordingly. 

Thales is the first and only vendor to offer White box cryptography as an integral part of its Sentinel portfolio of software licensing solutions. This new technology allows protecting the cryptographic key at all times, rather than breaking it up and revealing it only a piece at a time. From a security perspective, this ensures that the protected key remains hidden from hackers and is therefore not susceptible to reconstruction during a potential attack process.