Cryptography is no longer limited to the military and spies. This ancient art underpins modern life. It’s about encoding intelligible data, e.g. numbers, text and transforming them into something unreadable to anyone other than who the information is meant for. The question is, does it need an upgrade for today’s always connected world?
How secure is your house?
Hundreds of times a day we use cryptography in our everyday life. From the lock on the website that you’re browsing, remotely unlocking your car with the key fob to using all kinds of devices. It’s important. It protects you and your data. But it’s fragile.
Let’s take your home as an analogy. Having an expensive lock on the front door is only good if your windows and back door are secure. Leaving your windows open undermines the security the front door lock brings. The same is true in computer systems. They often use strong cryptographic keys and algorithms, e.g. AES. But if the developer leaves the software equivalent of a window open – how safe is it really? Such a software window is the assumption to trust that the computer the application is running on, is safe. Would-be attackers can easily gain access by exploiting software that you’ve downloaded and installed, or the USB key that you inserted into your laptop. There are many ways to gain access to the computer. Once in, the attacker has control.
What can be done?
There isn’t one solution to this. But using Whitebox Cryptography (WBC) is certainly one to consider. The underlying premise of WBC is that the attacker is in control. The computer system is not safe. With WBC it’s possible to encrypt and decrypt secrets to a key without exposing the key itself. Yes, even if the attacker has control of the computer system, the secrets remain secret.
How do we do this?
I’ll go into this in more detail in my next post but let me give you a high level overview. By combining WBC with other techniques such as code obfuscation, tamper resistance plus monitoring and telemetry you have a formidable security architecture.
Central to this is WBC. It anchors the security system that checks that the environment is still trustworthy. Once we have a security anchor we can build checks called Integrity Verification. By layering tamper resistance techniques on top, the application becomes self-defending. And adding monitoring and telemetry, it means that you’re able to monitor the execution. If the integrity of the system is broken, then the back-end is aware and can be ready with a response.
Why does this matter?
In our always online world, cryptography is even more important. Today’s applications run in a very different environment than 10-20 years ago. There’s applications running on smartphones, virtual machines, scripts running on browsers and IoT devices linking to the cloud. The traditional approach has had its day. We need to think about software security from the Inside-Out.