White-box cryptography

Abstract

Businesses often interact with users via web-browsers and applications on mobile devices, and host services on cloud servers they may not own. Such highly-exposed environments employ white-box cryptography (WBC) for security protection. WBC operates on a security model far different from the traditional black-box model. The modern business world includes large commercial segments in which end-users are directly exposed to business application software hosted on web browsers, mobile phones, web-connected tablets, and an increasing number of other devices: the `internet of things' (IoT). Software applications and their communication activities now dominate much of the commercial world, and there have been countless hacks on such software, and on devices hosting it, with targets as diverse as mobile phones, web browser applications, vehicles, and even refrigerators! The business advantages of deploying computational power near the user encourage software migration to exposed network end-points, but this increasing exposure provides an ever growing attack surface. Here, we discuss goals and challenges of white-box cryptography and emerging approaches in a continual attempt to stay at least one step ahead of the attackers. We list some WBC techniques, both traditional and recent, indicating how they might be incorporated into a WBC AES implementation.