White-Box Cryptography

Solutions in mobile payment and content protection often heavily rely on software to provide security. The open nature of the devices running these solutions, such as smartphones, tablets and set-top-boxes, make the software vulnerable to attacks since the attacker has complete control over the platform and software implementation. White-Box Cryptography (WBC) aims to protect cryptographic assets on such open systems, even when attackers have complete control over the platform and software implementation.

With its extensive knowledge on cryptographic security testing in software and hardware, Riscure has proven to be uniquely positioned to assess White-Box Cryptographic solutions. Both the obfuscation techniques and the cryptanalytic aspects require a wide range of capabilities to perform thorough and innovative security testing. Riscure performs such testing in an efficient manner where we ensure minimal project duration while providing optimal insight into the security of your White-Box Cryptographic implementation and recommendations for improvement.

Riscure offers WBC manufacturers and integrators security services tailored to your needs.

1. Design review and evaluation of White-Boxed ciphers

Riscure provides WBC manufacturers the opportunity to review and evaluate the design and implementation of their white-boxes and additional software protection techniques (e.g. obfuscation, anti-tampering, anti-debugging, root detection, device binding etc). Such evaluations are typically performed with the purpose of improving the WBC and software protection techniques.

2. Security evaluation of White-Box Cryptographic based solutions

Riscure provides WBC manufacturers and integrators the opportunity to evaluate the robustness of their White-Box cryptographic solution against attackers. Such evaluations are typically performed in a black-box approach, meaning without further details on the actual implementation, with the objective to break or circumvent the White-Boxed ciphers and software protection techniques and gain access to pre-defined protected assets (e.g. payment keys, encryption keys, content, etc).

3. Training & Consulting

Riscure provides support with test tooling, consulting and training in order to enable WBC manufacturers, integrators and others to improve the development, integration and testing of White-Box Cryptographic solutions and implementations. Read more on our open training course for security testing of WBC technology.