Ernest Worthman of Semiconductor Engineering recently described White Box Cryptography (WBC) as a “novel approach” that implements cryptography algorithms in software, rather than hardware.
“The idea is to keep the cryptographic assets secure against attacks, using code obfuscation,” he explained. “Essentially, a white box implementation is taking a key and creating, in software, a key-instantiated version where the key is hidden in the code.”
As Rambus Cryptography Research Fellow Pankaj Rohatgi told Semiconductor Engineering, White Box Cryptography offered “a way to do” software-based cryptography in a very obfuscated manner. More specifically, WBC held out the promise that code could not be extracted if it was run in a debugger. However, Riscure – a global security test lab – recently announced that it had discovered a way to crack White Box Cryptography.
“There is now a very big ‘hammer’ that can now be used to break all White Box Cryptography,” Rohatgi confirmed. “And now it only takes a few hours, versus a few weeks or months.”
As Worthman observes, White Box Cryptography is essentially “broken.” To make matters worse, WBC resides on a slew of Android devices in the user space.
“It doesn’t matter that the White Box is rotated every few weeks, anymore. Now it needs to be rotate every few hours, which is not likely to happen,” said Worthman. “Perhaps the argument that it is mostly used in low-value transactions will make it less likely to be hacked. But if they can hack the white box, will it lead to vulnerabili[ties] in the device so many of us use to run our lives? That’s unknown at this point.”
According to Paul Kocher, the Chief Scientist of Rambus’ Cryptography Research Division, the semiconductor industry must find a way to create effective security that works even if there are software bugs.
“This requires building better, more secure hardware that can provide effective security and last across the extended lifespan of devices such as appliances and cars,” Kocher told Rambus Press during an earlier interview on the general subject of security.
According to Kocher, there has been a paradigm shift in the way the threat landscape is perceived. Indeed, the industry is moving towards solutions that address a diverse set of security requirements across multiple platforms and chips, rather than building narrow solutions specific to a single use case or device.
“From my perspective, truly robust security starts with the design of an SoC, and security needs have to be addressed along the manufacturing supply chain. It is difficult to imagine any device these days that processes information, yet does need some form of cryptographic security. Adoption of cryptographic solutions will only continue to accelerate, as everything from cars to refrigerators join the growing ranks of the Internet of Things (IoT),” he added.