Cryptographic key discovery is one of today’s most prevalent threats in the DRM arena. It is therefore critical to protect those keys to such an extent that repeatable, reproducible and sustainable attacks cannot be easily and consistently generated against these implementations. White box cryptography is believed to be the “silver bullet” to cryptographic key discovery vulnerabilities. White box cryptography is an important aspect to the strategy of the cryptographic key protection, but it is also necessary to protect the secured application in which the keys are used.
To do so robustly and in a performance-efficient manner, several static and dynamic reverse-engineering mechanisms should be employed. Additional protection tools such as obfuscation and enveloping are critical to comprehensive security. It is important to consider the full spectrum of threats to the application and protect it accordingly. SafeNet is the first and only vendor to offer White box cryptography as an integral part of its Sentinel portfolio of software licensing solutions. This new technology allows protecting the cryptographic key at all times, rather than breaking it up and revealing it only a piece at a time. From a security perspective, this ensures that the protected key remains hidden from hackers and is therefore not susceptible to reconstruction during a potential attack process.
Frequently Asked Questions abstract:
Security applications protect sensitive information using various cryptographic keys which need to be made available for the program code that decrypts the data. Modern cryptographic algorithms allow encrypted messages, to be safely transferred between endpoints, at which it is encrypted and decrypted. However, traditional cryptographic algorithms were not designed to operate in environments where their execution could be observed.
Popular industry standard ciphers like AES were not designed to operate in environments where their execution could be observed. In fact, standard cryptographic models assume that endpoints, PC and hardware protection tokens for example, are to be trusted. If those endpoints reside in a potentially hostile environment then the cryptographic keys may be directly visible to attackers monitoring the application execution while attempting to extract the keys either embedded or generated by the application from memory.