Scare Of The Month: Whitebox Cryptography

Hiding keys in software sounded like a good idea. It wasn’t.


A debate has been raging for some time about whether hardware is more secure than software. This story should provide plenty of fuel for debate.

A few years ago, something called White Box Cryptography (WBC) was developed. This is a rather novel approach that attempts to implement cryptography algorithms in software, rather than hardware. The idea is to keep the cryptographic assets secure against attacks, using code obfuscation. Essentially, a white box implementation is taking a key and creating, in software, a key-instantiated version where the key is hidden in the code.

“Its claim to fame was that now there is a way to do cryptography in a very obfuscated manner, in software,” noted Pankaj Rohatgi, director of engineering at Rambus’ Cryptography Research Division. “And it promised that if the code was run in a debugger, it could not be extracted.”

Sounds great, right? After all, this takes it from the chip level to the software level, and simplifies security so it can be implemented across any number of applications and platforms. This is extremely interesting to the IoE players because it can be layered on top of IoE device software – cheap and easy – and without cryptography hardware. It promised a lot – hardware independence, can be scaled down to smaller devices (think IoE), and can be run on most, if not all, chips.

Google thought it would work well with its host card emulation (HCE), removing the reliance on hardware cryptography from its phones the way Apple Pay and the earlier Google Wallet worked. Google developed an API that allows the NFC chip to communicate directly with a software layer, as opposed to a secure element or smart card chip, so the payment can be done in software instead of hardware.

HCE, instead of storing the card data in the secure environment, uses short-term keys for a transaction. The HCE element talks to a server, puts a limited use key onto your device, and the software uses the limited use key to make the transaction. And it uses a white box to encode the key.

All was good in wonderland until, as it turns out—and this has been brewing for some time, according to Rohatgi—it became obvious that hacking white box cryptography is not all that difficult. It has been known for some time that it can be hacked, but the thinking is it would take a while – maybe two or three months. And because most of the applications were for short-term applications with devices that received regular updates, and low-value targets, the effort to hack it wouldn’t be worth the time and effort. So it continued to be used.

But then the wakeup call. This too is something that has been in the channel for a few months. But a few weeks ago the bombshell dropped. It turns out that white-box cryptography is exceptionally easy to hack. In fact, Riscure, at the Black Hat Europe 2015 conference last month, announced that it had found a way to break the white box cryptography.

“There is now a very big ‘hammer’ that can now be used to break all white box cryptography,” says Rohatgi. “And now it only takes a few hours, versus a few weeks or months.” It was simply coming up with a method to apply differential analysis in software – and that, folks, is the end of that. It is now a whole new ball game.

So, now, essentially white box cryptography is broken and is on a whole slew of Android devices out in the user space. It doesn’t matter that the white box is rotated every few weeks, anymore. Now it needs to be rotate every few hours, which is not likely to happen.

Perhaps the argument that it is mostly used in low-value transactions will make it less likely to be hacked. But if they can hack the white box, will it lead to a vulnerability in the device so many of us use to run our lives? That’s unknown at this point.

Still, this isn’t something to be ignored. It’s a major scare, and we can only hope that Google, and the rest of the industry that uses white box for things like digital rights management, wake up and smell the coffee. In fact, maybe they should make some extra coffee.