Next-gen ‘White-Box Works’ code generator launches complete with EMVCo Software-Based Mobile Payment security evaluation certificate
1st March 2022 - San Jose, California - Banks, payment service providers (PSPs), schemes, and other financial institutions can now benefit from a uniquely high level of sensitive data protection and application attack resistance, following today’s launch of White-Box Works, a next-generation EMVCo-evaluated White-Box code generator, from PACE Anti-Piracy.
Unlike traditional solutions, White-Box Works gives the customer complete, independent control over their protected code, ensuring their encryption keys and proprietary algorithms never leave the customer’s premises. White-Box Works can transform any C-code into a protected white-box variant in a single step, offering unparalleled flexibility, security, and efficiency.
This level of in-house control also promises to increase operational efficiency for the customer, since they are no longer beholden to a white-box library vendor’s build schedule and can develop their application in accordance with their internal schedules. It also enables the customer to use, replace and update their deployed encryption keys and algorithms at will, with no need to re-engage PACE Anti-Piracy, or any other third-party vendor, to do so.
White-Box Works has been designed to defeat a variety of sophisticated attacks, including those involving reverse engineering, fault injection, and advanced statistical analysis (such as Differential Computation Analysis).
White-Box Works outputs code that has been designed to defeat a range of attacks to which many encryption-dependent financial apps remain vulnerable, including, for example, those supporting mobile payments, digital identity, self-service retail, and softPOS use-cases.
White-Box Works has also achieved an EMVCo Software-Based Mobile Payment (SBMP) security evaluation certificate, following a successful EMVCo SBMP Evaluation conducted by global security lab, Riscure.
“Statistical Analysis attacks are the bane of all white-box encryption protection solutions,” comments Allen Cronce, CEO of PACE Anti-Piracy, Inc. “We are very proud to be equipping the financial services industry with a solution capable of addressing these and other vulnerabilities. White-Box Works represents a significant step forward in the encryption protection space, and will give banks, PSPs, schemes, and other financial sector users greater confidence in the security of their sensitive data. We’re also delighted to accompany the launch with news of White-Box Works’ EMVCo SBMP evaluation certificate and are grateful to Riscure’s talented penetration testers. The entire Riscure team has been a pleasure to work with throughout the rigorous EMVCo evaluation process.”
“Riscure is proud to have assisted PACE Anti-Piracy in achieving an EMVCo SBMP evaluation certificate for White-Box Works,” adds Maarten Bron, Managing Director of Riscure North America. “This innovative technology provides a unique security capability for solution developers as it supports the creation of white-box instances for any algorithm, allowing for optimal flexibility and developer freedom when the protection of cryptographic keys is vital. This makes White-Box Works not only useful in payments, but also in other fields such as digital rights management, eHealth, IoT, automotive and more.”
“It's also noteworthy that White-Box Works was evaluated as a stand-alone technology and did not require the additional protection of binary hardening and tamper-proofing technology to receive an EMVCo security evaluation certificate,” adds Allen Cronce. “I believe this is another industry first for White-Box Works. It’s an unmatched achievement we are immensely proud to highlight.”
White-Box Works is available now. For more information, please visit our White-Box Works webpage or contact PACE Anti-Piracy at [email protected].
About PACE Anti-Piracy, Inc.
PACE Anti-Piracy, Inc. is a privately held company based in San Jose, California. Since 1985, PACE has provided software publishers and distributors with high-quality solutions for secure software distribution. PACE products are used by a growing number of world-class software publishers around the world.
About Riscure
Founded in 2001, Riscure is a leading global advisor on the security of connected and IoT devices, as well as a recognized vendor of advanced security testing tools and security training. Riscure helps customers around the world to build robust hardware and software solutions and to speed up the process of secure development and certification. Riscure is the thought leader in Mobile Security and has been the front runner on security analysis of White-box Cryptographic implementations since 2012.
www.riscure.com
The need for software security in client-side applications has never been greater.
That’s an easy statement to make, and it quickly becomes justified by the stream of news stories about malware targeting mobile apps, compromised desktop applications, and websites leaking credit card information.
Research shows that upwards of 81% of consumers would stop engaging with a brand after a data breach.
Our lives are increasingly managed through online services and mobile apps. That means all the sensitive—and often highly private—data that defines who we are passes through our computers and phones. No wonder people take it seriously.
The challenge isn’t restricted to consumer apps. The same techniques that are used against consumer apps are also used to attack professional software—enabling the theft of business secrets.
This means cryptography is required to protect sensitive data.
Software engineers and security architects understand the need to encrypt sensitive data at rest and in transit. The techniques and protocols to achieve that are well understood. But how do you protect the cryptographic keys that unlock the data?
If you look online, you’ll find a few different definitions of cryptography, but they all center around the idea that “Cryptography is the application of mathematical operations to keep information secure by transforming it into a form that unintended recipients cannot understand.”
Keeping information secure means two things: firstly, keeping it private, and secondly, ensuring its integrity—ensuring the data hasn’t been corrupted or influenced.
At a high level, cryptographic algorithms—the encapsulation of those mathematical operations—take two inputs: the data to be operated on and the key. In non-scientific terms, the algorithms combine the two together. The key brings a uniqueness to the operation, stopping anyone from just running the decrypt algorithm to decipher the data. Therefore, keeping the key secret is the crucial part to protecting the privacy and integrity of the data.
If the key can be uncovered, then the data is no longer secure.
What does that mean for client-side applications? Well, very simply, it means the key must never be in the clear within the app.
This is because all software is vulnerable to reverse engineering.
Reverse engineering falls into two broad categories: static analysis and dynamic analysis.
Static analysis involves cracking the app open and looking at its code. Open source tools are readily available to do this. A popular example is Jadx which takes about five minutes to see the code of any Android app. If you’ve put secrets in there, any attacker will find them.
Dynamic analysis is looking at the code and memory while the app is running. Developers commonly do this when debugging their apps. But attackers can do it with published apps, too. In an attacker’s hands, this can reveal a lot of detail about the behavior of the app - from what data is in memory, to looking at network traffic before it enters the encrypted transit pipe. While it requires slightly more skill than static analysis, all the tools and training materials are freely available to download.
That means developers should never have sensitive data, like crypto keys, in the clear—not in code and not in memory. It doesn’t take any dark web magic to find them, just a little time with Google.
We’ve established that you can’t hard-code cryptographic keys into your apps. Furthermore, methods to generate the keys in-app, or over-the-air provisioning of keys, will be vulnerable to dynamic analysis.
Thankfully the problem isn’t new and isn’t unique. Technologies exist specifically to solve it.
The three most common options available to developers are:
All three have their pros and cons, which will be discussed in more detail in the next article in this series.
In the meantime, our Director of Product Management, Neal Michie, will be discussing this subject at Droidcon San Francisco on the 8th of June.
Grammy-winning mix engineer and producer Andrew Scheps is renowned for his stellar mixing and production techniques, which he has applied to some of the biggest acts today, including Adele, Red Hot Chili Peppers, Low Roar, Metallica, and Hozier, among others. Moving from a fully analog to completely in the box production set up 10 years ago gave him a wide-ranging perspective on record making. This shift came with numerous advantages, including portability and convenience, thanks to the iLok licensing system.
“I had an iLok probably the day it came out.”
Today, Scheps relies on a wide range of iLok-protected software for his work. He uses Pro Tools for editing and arrangement, while employing various audio plug-ins to shape the sound of his tracks. These plug-ins offer a plethora of processing options, such as equalization, compression, pitch correction, noise correction (iZotope RX), and emulating hardware like an old speaker or megaphone (Speakerphone), or even the lush, iconic sound of Scheps’ long-lived Neve 8068 console (Scheps 73).
PACE’s iLok system has become an integral part of Scheps' workflow. It allows him to authorize his licensed software with ease, whether he's moving from one project to another or working in different locations. With iLok USBs, authorizations on a computer, or iLok Cloud, Scheps can conveniently manage his activations within his iLok account, ensuring a smooth and efficient working process.
Scheps’ passion for audio technology has been ingrained in him from the early days of his career. He began by fixing and maintaining Synclaviers for New England Digital right after college. This association with one of the first synthesizer and digital samplers eventually led him to explore MIDI sequencing software from Studio Vision, which used the PACE copy protection system, a precursor to iLok.
The introduction of iLok marked a turning point for Scheps. It revolutionized the way he worked, allowing him to bring his essential tools anywhere and eliminating the need for cumbersome hardware setups. Scheps had always been a beta tester for Pro Tools, receiving beta builds on floppy disks as far back as 1997. But it took him some time to find software tools that could entirely replace his console and racks of analog gear.
“In the early days, I would bring absolutely everything with me for a session. I had my Mac. I mean, I had a trunk just for the monitors…it got to the point where if I didn't bring my own Mac, it was just going to take me forever to do anything.
The iLok was a game-changer for that stuff, as you really could just pick up and go… you'd bring the installers, you'd have your iLok, and it would be a much, much easier way to go.”
Around 2013, Scheps committed to mixing solely ‘in-the-box’, and immediately recognized the benefits. The ability to seamlessly transition between projects and locations with just an iLok USB, and his hard drives for multi-track sessions, was a game-changer. The iLok system provided a reliable and efficient way to manage authorizations, eliminating the hassle of dealing with other authorization systems.
“I’ve had issues with the other dongle-based copy protection, where it just doesn’t recognize stuff…But with the iLok, because it is so embedded in the Pro Tools launch and the plug-in instantiation, you absolutely know what's going on.”
As Scheps continued his journey in the world of audio, he found himself venturing into new territories. To add to his success as a mix engineer and producer, he developed an interest in programming software. Scheps, a self-proclaimed geek, was always looking for ways to automate tasks and streamline his workflow. He wanted to eliminate repetitive work that hindered his creative flow.
Driven by his curiosity and desire to simplify his process, Scheps started exploring SoundFlow, another PACE-protected software that allowed deep integration with Pro Tools. SoundFlow enabled him to accomplish tasks that no other software could achieve. He saw its potential and began writing scripts to automate various aspects of the mixing process. This newfound passion for coding led him to create his own app called Bounce Factory, which automated all aspects of the bouncing process.
“The repetitive stuff is what kills your creative flow… It's like, well, to make the creative idea happen I have to do this, and after that I've forgotten what it was I wanted to do and I'm no longer in the mood to do it.”
During the pandemic lockdown, Scheps dedicated himself to both mixing and coding, often working late into the night. He learned the intricacies of programming through online resources, YouTube tutorials, and the supportive SoundFlow community. Scheps is grateful for the guidance and support he received, particularly from Christian Scheuer, the CEO and founder of SoundFlow, who has been instrumental in helping him navigate the world of programming. With SoundFlow's powerful platform and the protection and licensing provided by PACE iLok, Scheps didn't have to worry about the technical aspects of safeguarding his software. He could focus on unleashing his creativity and pushing the boundaries of what was possible.
“SoundFlow is an amazing platform and uses the PACE protection and licensing… which means that I don't need to learn about how to protect my own software, because it's all within the SoundFlow ecosystem.”
Scheps didn't stop at Bounce Factory; he continued to explore programming and developed smaller tools to address specific pain points in his workflow. One of these tools was the Offset Counter, which helped him quickly locate specific sections of a mix, saving him valuable time when addressing notes from clients. By giving back to the community and sharing his creations, Scheps contributes to the collective growth and innovation of the audio industry.
“I love doing Atmos, I love the immersive stuff.”
Always at the forefront of audio technology, Scheps has a particular affinity for immersive formats like Atmos. He has mixed over 150 Atmos mixes to date, and is excited about the advancements in playback technology. Sharing that excitement and expertise in a Q&A on his personal Atmos setup, or a panel on Atmos Mixing with industry veterans like Bob Clearmountain, Steve Genewick, Will Kennedy, and Dave Way, is one way Scheps consistently contributes to the advancement of the greater audio community.
As soundbars and headphones improve, Scheps envisions a future where people could experience the full potential of immersive formats in their homes. He sees immense creative freedom in breaking free from the limitations of stereo and headphone playback, and eagerly anticipates the day when home speaker systems provide a truly immersive experience.
“I think eventually when consumer speaker systems are at a point where people can afford to actually get a speaker up over their head or behind them instead of just simulating it… That's when I think it'll really be cool, because then you'll have complete freedom. You're not trying to match a stereo thing, you’re not catering to headphone playback, which is a big part of the process now. And I don't mind that because I can still be really creative and have it work on headphones. I've gotten good at that. But it'll be nice when I don't even have to think about that.”
In November 2022, Scheps attended his first Audio Developer Conference (ADC), an annual event hosted by JUCE and PACE Anti-Piracy, that celebrates all aspects of audio software. ADC 2022 sponsors included prominent companies like Apple, Focusrite, Avid, Audiotonix, GPU Audio, ByteDance, Ableton, and many more. Andrew thought that most if might go right over his head, but to his surprise, he discovered that he fit right in with the passionate community of audio developers. The enthusiasm and dedication of the attendees, including those from prominent companies, inspired Scheps and reinforced his belief in the importance of pushing boundaries and driving innovation.
“Some of the technology is insane, like the C major platform. And it was great to see that passion for what everybody was doing. I think it's good to see that as an end user. Most of the people there just love what they're doing and really feel like they're doing something important, which is great.”
From his early days as a mix engineer to his more recent forays into programming, Andrew Scheps has consistently embraced emerging technologies and harnessed their power to enhance his craft. As an ambassador of the digital audio future, he continues to inspire (and be inspired by) his fellow professionals, demonstrating that the marriage of artistry and technology can unlock new realms of sonic possibility. Through his unwavering passion, relentless exploration, and commitment to excellence, Scheps continues to leave an indelible mark on the world of music, shaping its future with his pioneering spirit.
Neural DSP creates cutting-edge sound processing software and hardware that allows users to be more creative and efficient while lowering barriers to entry to world-class sounding results. With Chilean roots, this Helsinki-based company officially started in 2017. Not long after beginning development of their first plugin, Neural DSP contacted PACE Anti-Piracy to help them secure and license their products.
In the last 5 years, Neural DSP has released 17 plugins and one of the most powerful AI-equipped hardware modelers on the market; the Quad Cortex. Beyond offering cutting-edge products, Neural DSP differentiate themselves by collaborating with hundreds of artists. Some examples of collaborations range from artists providing presets for their products to creating customized plugins or “Archetypes” - based on specific sounds from artists like John Petrucci and Tim Henson.
PACE got the chance to sit down with Francisco Cresp - Co-Founder and Chief Product Officer and Dan Davies, Chief Marketing Officer, of Neural DSP. We wanted to hear more about their unique story, and their reasons for choosing PACE protection and licensing.
How did Neural DSP get started?
Francisco Cresp: Doug Castro (Founder of Darkglass and Co-Founder of Neural DSP) and I met in Chile in 2009, and became friends. I had a mutual friend who played in a band with Doug, and he introduced us, since he knew we had both studied at the same school in Finland. Doug was doing pedals and I was producing music. We met and discovered it was a small world and we had a lot of friends in common. We just clicked on a personal level.
Doug moved to Finland, which is something I wanted to do. When I ended up moving to Helsinki, we got in touch and started working together at Darkglass Electronics. Doug always had an idea for a super powerful modeler, he is a very hardware oriented guy. He got frustrated from the point of view of a bass player who wants to play guitar, and decided to build the kind of modeler he wanted to use.
With all of his experience doing Darkglass Electronics, he started thinking of shifting to the digital world, the software side. I suggested that we should do software versions of Darkglass products. At that time, I was producing a lot more music than I am now. Using multiple pedals was a problem because I didn’t have a big space, and I was always using plugins. I wanted to run several instances of the Darkglass pedals, and then came the idea “maybe we should start something.”
I continued the software side, and Doug started hiring some additional software and hardware engineers. We began to develop products in parallel.
Darkglass Electronics makes the Quad Cortex, Neural DSP makes plugins. What came first: software or hardware?
Francisco Cresp: We developed hardware and software at the same time. Everything we did with the software, we were already thinking about the compatibility with the hardware. Development was always in parallel, but the hardware product could only be revealed later.
When the question of securing your plugins came up, what were your initial thoughts?
Francisco Cresp: When the security topic came up I thought right away, if we don’t want our software to get pirated we should really go with PACE Licensing. I knew ProTools uses it, and I have had a very good experience with ProTools and iLok - it works very closely with Avid, which is a brand I like. I knew the best security out there for audio products was PACE. PACE was the only option for us. We would rather go with PACE than with another company where we can expect their things to break. We got a quote, and the collaboration went very smoothly. PACE has allowed us to sell our software with the peace of mind that things are secure.
After deciding to work with PACE, how was the interaction with the support and sales team?
Francisco Cresp: Derek has always been helpful, the support team has been very helpful particularly including all the PACE architecture in our products. I remember contacting support very late on a Sunday night before our Monday release, and we couldn't compile our things because of an error. Pete helped and guided us with all the patience in the world. We managed to solve the problem with him, and it was very nice for him to listen to us in a moment of distress.
Francisco, you are a musician and music producer. How did your background in music influence the products?
Francisco Cresp: On a personal level, I wanted to create a dream product for myself at first. It just so happened that it was good for artists too, and they liked our UX and UI.
Artistic vision was enhanced by Franco, our Industrial Designer for Darkglass (and now Neural DSP), who has a great taste for design. His touch was essential for making the Quad Cortex and the plugin user interfaces. The UI allows the user to navigate easily, and play guitar, which is the most important thing.
It sounds like you made the kind of product you wanted for yourself, and other artists liked it! What role does the user experience play in your development process?
Francisco Cresp: We put all of our attention into the user experience, and how the users feel using our products - with audio quality being above all else. We put a lot of effort into developing new technologies, and how we can take things to the next level in every way - from the moment you open the box for Quad Cortex, to the experience of installing one of our products, to opening a session and the shock of seeing the interface. It is different from other products on the market.
How has it been to work with PACE?
Francisco Cresp: Anytime we have wanted something, there is a will to help from PACE. The relationship with PACE has been really smooth.
Neural DSP has chosen to work directly with artists - what brought about this partnering idea?
Dan Davies: This comes from two different aspects. First, Neural DSP collaborates with an artist to make a signature plugin - an “Archetype”. Our approach has always been to create a toolkit that the artist would use rather than focusing on potential commercial success. We want the plugin to be something the artist is proud to use.
The second aspect is that we have an extensive artist roster that we work with closely. We put together incredible videos showcasing them and our products.
How often do you reach out to artists for input and feedback?
Dan Davies: Often! There is a very open channel of communication with our artists, and our AR team has regular calls with many people on the roster to discuss their set up, their feedback, and to provide solutions to complex routing requirements.
Conclusion:
Neural DSP is one of the fastest growing audio plugin companies today. It comes as no surprise that their success in the market is driven by their commitment to creating next-level audio software inspired by the artist. By keeping the artist central to the development process, Neural DSP lives out their mission statement: To empower musicians’ creativity to expand alongside technology.
For more information on how you can secure your plugins like Neural DSP, contact PACE today!
Over a decade ago, white-box cryptography was developed to provide a more cost-effective and flexible alternative to hardware security cards used by Cable and Satellite TV companies for secure Conditional Access. Since then, the applications of white-box cryptography have expanded to securing various other technologies, including mWallet and mPOS apps, AI algorithms, and Digital ID applications.
White-box cryptography has traditionally been associated with those uses, protecting either the encryption keys for streaming TV user authentication, or the token exchange required by digital ID solutions. The white-box protects the keys that manage the encryption of data required by the service provider, and the decryption of the user-required data. The white-box library helps to both manage this process and store the keys.
But the potential power of white-box cryptography goes far beyond this narrow use case. While code and data obfuscation is often used to protect other areas of application code, it is not enough to protect important secrets within a compiled application. Obfuscated data is de-obfuscated in memory when it is actually used, which is, of course, where the bad guys attack using off-the-shelf software debugging and other tools. A white-box, on the other hand, is designed to be secure at rest and in use.
Historically, white-boxes were only useful for protecting encryption keys for specific cryptographic algorithms. But if white-box cryptography could be applied to more than just cryptographic algorithms, and implemented in a flexible way that managed code-bloat and performance issues, it could become a powerful tool for for software developers and DevSecOps teams to protect companies' intellectual property and customers' critical information. Unfortunately, no such white-box existed, until now.
PACE Anti-Piracy recognized the potential of white-box cryptography early on, and adopted white-boxes extensively to secure our licensing platform. However, early whiteboxes were extremely limited and cumbersome, leading PACE to develop an entirely new white-box technology that we now use to secure a wide range of code at rest and in use. To help explain this new technology, we refer to white-box technologies by generation.
First-generation white-box libraries were pre-built to specific developer specifications, with a single or very limited choice of cryptographic algorithms. Any changes or updates were provided as a chargeable service, subject to vendor workload.
Second-generation on-premises toolkits allowed developers to build white-boxes on-demand, with improvements in cost and speed of updates or changes. However, they still supported limited cryptographic algorithms without a custom implementation and associated NRE costs.
PACE envisioned a new, third generation: an on-premises toolkit with the ability to protect any algorithm and/or secret and the flexibility to let developers white-box any C code, creating unique new security techniques and capabilities at need.
Developers can now build white-boxes on demand, securing their mission-critical intellectual property
Our vision has now become a reality with White-Box Works, an on-premises toolkit that can transform any code expressed in C into a secure white-box variant. Developers can now build white-boxes on demand, securing their mission-critical intellectual property at multiple locations throughout the application’s architecture and providing a new level of security that was previously unavailable. With White-Box Works, PACE has pioneered a new approach to white-box cryptography that has the potential to revolutionize how companies protect their valuable information.
At PACE, we eat our own dogfood. We protect the code within our licensing solution with White-Box Works, adding to the security already provided by our well-established “Web of Trust” PKI infrastructure. This has allowed us to deploy tens of thousands of white-boxes across thousands of protected applications, which would have been impractical using any legacy first-generation white-box, and challenging even for second-generation solutions. Having overcome these challenges, we can present White-Box Works as the only third-generation solution.
The same challenges that PACE faced in successfully protecting our own license management solutions also feature strongly in a number of use-cases where white-box cryptography is recommended, or is even part of regulatory specifications.
White-Box Works goes even further than simply delivering the required protection.
PACE customers in mobile payments and financial services can rely on the flexibility and 3rd-party-tested security capabilities of White-Box Works to protect their applications, particularly in the fast-growing mobile point of sales market. In this sector, regulators such as PCI and EMVCo mandate the use of white-box technology to safeguard consumers' personally identifiable information and prevent fraudulent attacks. But White-Box Works goes even further than simply delivering the required protection of cryptographic functions, to secure other secrets including access to APIs and other sensitive code running on inherently insecure COTS mobile devices.
Digital ID solutions require secure cryptography to authenticate and exchange credentials, as well as managing other vital “secrets” in order to deliver a trusted service to their users - the end user citizen, the issuing authority, and the service provider. This use-case is similar to mobile payments in that it poses a significant challenge for open mobile consumer devices that lack traditional hardware security. The only control the service provider has over the security of the solution is the exchange of various secrets within the software application, which has to be supplied via an open-to-all app store where bad actors can also download the apps in order to analyze and develop attacks.
White-Box Works offers unparalleled software-based security that not only protects critical cryptography, but can also protect other secrets within the application, secure the communications to the cloud, and even protect cloud end-points.
In the market for DRM and conditional access, where the principles of white-box cryptography were originally created, first-generation white-box is well understood, but these early solutions are restrictive and come with significant "white-box taxes" for developers when a third party is paid to deliver secured white-box libraries. Licensors often require white-box technology as part of their contract with the software developers, and quite reasonably expect that the developers’ cryptographic software will protect their IP. But how can any developer feel in control of their product, with a legally binding agreement with their customer behind it, if they don’t know what is in the third-party library, how that fits into their supply chain processes, how quickly they can change keys, or what it might cost to do so?
Development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions.
With White-Box Works, development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions. With White-Box Works’ modern, third-generation approach, developers can build white-box code at will to protect more than just crypto keys, creating complex architectures using multiple white-boxes and ensuring maximum software security for their licensors.
PACE also deploys secured code in the cloud to protect our own services. After all, who truly trusts someone else's computer? No matter who the public cloud solution provider is, there have been breaches. It’s human nature for errors to creep in, and cloud instances are no more inherently secure than any other platform, especially where multiple tenancy is the norm. Some encryption may be used to protect communication between applications, data sources and the outside world, but the encrypt/decrypt cycles between these apps, APIs, or external end-points are vulnerable to attacks if the encryption key is easily determined by statistical analysis. This can potentially open up the entire network, leaving your sensitive data and services vulnerable to hackers.
White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services
By using White-Box Works to secure the code in the cloud, development teams can significantly enhance their protection against such attacks. PACE’s new approach to "white-boxing" the code makes it much more difficult to reverse engineer or tamper with, and the ability to generate new white-boxes on demand is especially crucial in a cloud environment where creative developers and architects may need to modify the code and to cope with new use-cases, especially as artificial intelligence and machine learning grow in use. White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services from potential breaches.
In the last decade, white-box cryptography has evolved from simply being a flexible alternative to hardware security cards, to secure other technologies including software applications. PACE has overcome the limitations of first and second-generation white-box technologies to secure our own products and services, and now leverages that development to bring a third-generation solution to market in White-Box Works, an on-premises toolkit that can transform any C code into a secure white-box variant on demand, providing a whole new level of security that was previously unavailable. With use cases in mobile financial services, digital ID, DRM, cloud solutions, and more, we offer unparalleled software-based security to protect much more than a single cryptographic algorithm from the most current cryptographic attacks such as Side Channel and Statistical Analysis.
For more on how PACE Anti-Piracy can support your licensing and application security needs, contact us.
PACE Licensing and Security Supports MATLAB Projects
An increasing number of universities are designing graduate programs centered around entrepreneurship in addition to publishing their work. This bridge from academia to industry is particularly interesting to PACE Anti-Piracy because PACE has worked with companies in transitioning software to commercial products for nearly four decades. With extensive industry knowledge, PACE brings engineering support and solutions to help companies such as Laser Thermal license their software and protect their IP before they sell it.
Who is Laser Thermal?
Laser Thermal provides accessible thermal measurements of materials, focusing on thin-film thermal conductivity. Using optical technologies, they provide simple, accurate, and rapid measurements of thermal properties, leading to increased customer knowledge of material properties.
Making Measurements Easier
Laser Thermal’s flagship product, Steady-State Thermoreflectance in Fiber Optics (SSTR-F), offers customers in industry and academia a reliable way to measure thermal properties of materials. The measurement technique uses two lasers: a pump laser that locally heats a sample, and a probe laser that measures the temperature rise at the same location. By understanding the temperature rise, they can determine the thermal properties of multi-layer systems at the nanometer scale. The ability to focus lasers down to small spots allows for high spatial resolution.
SSTR-F offers accurate and repeatable thermal conductivity measurements and thermal resistance measurements for a range of materials and thin films. It offers an automated, non-contact approach to measuring thin films–a solution which revolutionizes the speed and accuracy of measuring thermal properties. This offers a new capability for metrology of thermal properties, particularly to customers in the semiconductor industry.
Hardware Needs Software
The SSTR-F hardware is paired with software developed in-house by Laser Thermal. It was originally developed in LabView, and later converted to MATLAB for computational efficiency. On the interplay between hardware and software, Vice President of Product Development, Dr. Hans Olson, explains that, "With SSTR-F, we acquire data with hardware components driven by the overarching software protocols. After that data is acquired, there's another whole piece of software that takes those data inputs and analyzes them to produce results."
In order to protect the software parts of their product, the team at Laser Thermal looked to licensing to prevent future piracy.
High-Value Software Needs Licensing
Laser Thermal evaluated several different licensing solutions prior to having an introductory call with the PACE Engineering team. “When we learned about the extra security capabilities that PACE had to offer, it gave us all the more reason to choose PACE’s Licensing Platform,” explains Dr. Olson. When asked why the alternatives weren’t a good fit, Hans responded “The alternative solution seemed promising at first, but ultimately PACE’s experience and reliability won our team over.”
Importance of Security
When asked what role the added security features played in Laser Thermal choosing PACE, Hans replied, “We would like to think that what we are doing is complicated to the point that it would take another organization an appreciable amount of time to catch up. To perform the necessary R&D, understand what fiber components to put together, how to facilitate the delivery, the analysis for the solution of a heat diffusion equation, and to combine all of the math–it would take a long time to figure out, unless someone had access to our code.”
Monetizing MATLAB Projects
PACE Anti-Piracy brings nearly 40 years of experience to the software licensing and application protection space. While PACE has been working for years with software companies that leverage MATLAB, in 2022, PACE became the first licensing platform to enter the MathWorks Connections Program and offer an out-of-the-box solution to software developers that use MATLAB.
When Dr. Olson sought out a solution for the company’s MATLAB project, experience and level of protection were the defining factors. “We worked really hard for this product. I wasn’t going to take a risk.”
Read more about how Laser Thermal is disrupting the Test and Measurement Industry.
For more on how PACE Anti-Piracy can support your licensing and application security needs, contact us.
Earlier this month, Apple and Microsoft disclosed independent vulnerabilities in their digital signature infrastructure, affecting a huge range of operating systems.
In Apple's case, it was possible to create a fake signature and get macOS to trust it. (Details) This is like a fake ID that fools the bartender into selling alcohol to a teenager.
In Microsoft's case, it was possible to create fake signatures that looked like they were from a trusted entity. (Details) This is like being able to print your own ID cards, as if you were some authority.
Digital signatures are like driver's licenses (or other ID cards, around the world), but for software. They say, with authority, who the holder is. They are used to convey trust: if I know who you are, I know what you should be allowed to do, and I can have reasonable trust in how you'll behave.
So too with apps.
All modern apps come with digital signatures, like ID cards, saying who they are. But a digital signature, unlike an ID card, can instantly be checked to see if it's valid. It doesn't just have to look authentic - you can actually check that it really is authentic, and who the publisher really is - through standard cryptographic techniques based on “public key infrastructure (PKI)”.
This idea underpins most consumer apps used today. Apps in the iOS App Store have always required digital signatures. So too with Android. macOS and Windows have been ratcheting up digital signature requirements for more than a decade, and now signatures are effectively a requirement to deliver software to macOS, while on Windows they are required for a good user experience.
Digital signatures are also used by software publishers to establish their own trust systems. One common example is products that load content or have plugins, and need to verify that the content or plugins are authentic. Digital signatures are exactly the right tool for this job.
Both of these bugs have the same basic consequence: until they were fixed, digital signatures weren't really the strong guarantee of identity that we thought they were. Or in the Microsoft case, there might be fake digital signatures in the wild that can never be proven inauthentic.
Those apps you installed, from trusted publishers, might not have been from those publishers at all.
This highlights one of the problems with digital signatures: they're a single source of trust. If you base all your trust on one system, then when that system is broken, you have no trust left. As happened last week, with Apple and Microsoft.
But PACE customers are still protected, even now that these vulnerabilities are well known. Our licensing and content protection platforms use our own digital signature infrastructure - on top of the OS signature infrastructure - to verify the authenticity of plugins and content. We use a completely separate set of certificate authorities (but the same proven cryptography!) to provide a second layer of trust above and beyond the standard operating system signature checking.
Our signatures weren't broken by these vulnerabilities, and the software publishers who rely on PACE digital signatures can continue to trust the content and plugins they load into their products.
PACE customers also enjoy features that don't come with operating system digital signatures, like explicit identification of the product (not just the publisher), and connections between licensing and digital signatures that enable features like encrypting content that can only be decrypted by authorized products.
If you have a software product or content that would benefit from stronger authenticity guarantees, or from high-security licensing and distribution, we encourage you to contact us at to learn more about how PACE can help you protect your work.
Solid State Logic (SSL) is a world leading manufacturer of advanced audio production systems for studio, live sound and broadcast. With more than 3000 SSL-equipped facilities operational today, SSL consoles and recording studio hardware and software are universally recognised for their reliability and outstanding sound quality.
Founded in 1969, SSL has seen an interesting evolution in its product offering . The name “Solid State Logic” was originally derived from their first product - a switching system for pipe organs. 7 years later, the product line expanded to include the first A-series console in 1976, and a big breakthrough with the SL 4000 E Series in 1979. Variants of this console followed, transforming the way music was recorded, and creating an international gold standard in music engineering hardware.
1985 marked the beginning of an era of digital research and development, leading to the development of the 01 - an eight channel recorder/editor. Three decades of continuous innovation landed Solid State Logic not only as a leader in recording hardware, but also professional studio software - both analogue and digital.
Although SSL is most famous for its rich legacy in analogue studio hardware, the company also has extensive experience in digital audio and DSP development. As the industry grew beyond dedicated hardware-hosted DSP, the release of the ‘SSL Native’ plug-ins signaled SSL’s first steps into the Digital Audio Workstation software marketplace - including the legendary Bus Compressor and Channel Strip plug-ins, inspired by sought-after sound of the SL 4000 E-series analogue console.
The entrance into the software marketplace marked the beginning of a relationship between Solid State Logic and PACE Anti-Piracy. In early 2011 SSL needed a licensing solution for their software and evaluated PACE’s early product InterLok. SSL needed a Machine Based Licensing solution, a solution which PACE was still developing, and ultimately SSL chose an alternative licensing platform.
It is important to note that license management platforms hold a variety of responsibility on many different levels. Not only does a platform have to securely distribute licenses to end users, the platform must also stay up to date with the latest operating system releases. "Customers are expecting things to work in their environment. In the audio industry, customers often need to avoid upgrading their computers for backcompatibility reasons between sessions. Supporting all of these environments ends up being maintenance and testing for the developer and you need a platform that can target all these things and is going to work. There are a lot of changes to keep up with. I don't think this would be possible were we doing all of this in house!” remarked Jon Sandman, Product Manager at SSL.
In 2013 an OS release caused a variety of issues with the SSL licensing system. The licensing vendor SSL had chosen was unable to maintain the software updates needed to continue uninterrupted service and a good user experience when a major release occurred. The issues caused the team at Solid State Logic to reach back out to PACE Anti-Piracy. “We needed a solution that was widely supported and from a supplier that made the integration process fast and straightforward. We had already used proprietary and less well known securitization solutions, and familiarity and market acceptance had been seen as barriers to success.”
By this time, PACE had developed and released Eden - a robust license management system with Machine-Based Licensing and security - exactly what SSL needed. James Motley, Head of Workstation Products at SSL at the time, was concerned about the cost to migrate license management platforms to PACE, and the effect it would have on business. PACE was able to work with the SSL and Audiotonix team to create flexible pricing and tiers.
When asked why SSL chose to go to PACE for their licensing needs, Jon Sandman said “We were aware of a number of successful companies using PACE security solutions in our industry. Many of our customers were already familiar with PACE, and so in looking for a securitization solution, PACE was an obvious choice.” When asked why SSL did not choose an alternative licensing solution, Jon continued “Market acceptance is important to us. Securitization and piracy prevention measures are a sensitive subject for our customers, and since PACE had already achieved acceptance with users and established themselves as a leader in our industry, a significant hurdle was overcome from the offset.”
“It is especially important to SSL that we also protect our IP. Emulations of SSL hardware, for example - if someone were to pick the software apart, then it would be a real shame for the dedicated plug-in development and DSP team that we have here at SSL.”
In addition to offering security and licensing services, the PACE Anti-Piracy brand also houses JUCE - an open-source cross-platform C++ application framework, used for the development of desktop and mobile applications. JUCE has been an integral part of the SSL software development framework. SSL has expanded software plug-in development - going from 10 plug-ins, to regularly releasing on average 2 plug-ins every quarter bringing the current total to 22.
“Not only our plug-ins, but our desktop application is in JUCE - the virtual mixer. We are reaping some of the benefits of the JUCE framework - including graphics improvements - in our SSL 360° desktop application and our new 4K B plug-in which used the latest JUCE release. The 4K B channel strip plug-in is an analogue model of the SL 4000 B-series console channel - an entirely new SSL channel strip for your productions - complete with 360° Plug-in Mixer (your virtual SSL console) and first-class integration with the SSL UC1 and UF8 for hands-on control.”
With PACE’s acquisition of JUCE also came the stewardship of the Audio Developer Conference (www.audio.dev). ADC will host its 7th annual conference in London and Online this year November 14 -16, 2022.
Solid State Logic supported the mission of the Audio Developer Conference with silver sponsorships in 2021.
The SSL team participated both online and in-person during the conference, presenting a talk How to Stand the Test of Time (Despite The Time it Takes to Test) by Jon Sandman. When asked why the Audio Developer Conference is important, Jon remarked “It is great to connect with the people that make the products you love.”
“I’ve always had an interest in accessibility and UX. It is a pretty broad subject, and going to ADC and actually connecting with experts in that field inspired me, and gave me a mental roadmap of what we can do and what our focus can be, which is important for me as a Product Manager.”
PACE Anti-Piracy brings a standard in professional audio software licensing that many companies rely on. We take great pride in working with organizations like Solid State Logic to ensure their software licensing needs are met. In addition, we are honored to expand our connection to SSL through our brands JUCE and the Audio Developer Conference. We look forward to a continued partnership on all levels!
For more information on the new SSL 4K B plug-in, please visit: https://www.solidstatelogic.com/products/ssl-4k-b
For more information on the Audio Developer Conference visit https://audio.dev
PACE Joins the MathWorks Connections Program, Allowing MATLAB Users to Monetize Their Projects
Silicon Valley, CA – PACE Anti-Piracy, creator of the iLok and PACE Licensing Platform, announced today that it has become a member of the MathWorks Connections Program. MathWorks is the world's leading developer of technical computing software for engineers and scientists.
MathWorks Connections Membership Gives MATLAB Compiler Users Full-Scale Support to Commercially Distribute their Application with a Licensing and Security Solution.
The MathWorks Connections Program is available to third-party organizations that develop complementary products that integrate and add to the existing feature set of MATLAB®, a programming and numeric computing platform used by millions of engineers and scientists to analyze data, develop algorithms, and create models. These partner offerings address technical needs across a wide range of applications and industries worldwide with software and hardware products that extend the usage of MATLAB and Simulink®. These solutions seamlessly integrate with MathWorks products and ensure ongoing compatibility with new platform releases.
PACE Anti-Piracy brings nearly four decades of application security and licensing experience to the MATLAB market. With over 140 million licenses secured, PACE is extending its platform support to include MATLAB Compiler projects. PACE Anti-Piracy’s licensing solution delivers support for:
PACE allows MATLAB users to have the peace of mind that their IP and software are protected and offers a platform to commercialize and monetize their compiled MATLAB Applications.
“Our MATLAB integrated solution extends PACE’s respected security and licensing platform that currently services industries such as Fintech, Medical, Industrial Software, and Media Entertainment,” said Patrick DiFerdinando, VP of Sales. “We were approached by MATLAB users seeking a bespoke licensing solution. As a result, PACE created a standardized solution to meet the needs of MATLAB users. We are pleased to join the MathWorks Connections Program and offer our security expertise to the scientists and engineers that wish to sell their software.”
PACE Anti-Piracy is a global leader in robust Application Protection and flexible Software Licensing Management Solutions. Since 1985, PACE has provided software developers and distributors with high value products, automated solutions for anti-piracy protection and secure software distribution. In response to market demands for stronger security products, PACE has expanded its product line to offer White-Box Cryptography (WBC) and Runtime Application Security Protection (RASP) solutions. PACE's products and services are trusted by thousands of software developers supporting millions of end users around the world.www.paceap.com
For further information on how to monetize your MATLAB, please contact: [email protected]
MathWorks is the leading developer of mathematical computing software. MATLAB, the language of engineers and scientists, is a programming environment for algorithm development, data analysis, visualization, and numeric computation. Simulink is a block diagram environment for simulation and Model-Based Design of multidomain and embedded engineering systems. Engineers and scientists worldwide rely on these products to accelerate the pace of discovery, innovation, and development in automotive, aerospace, communications, electronics, industrial automation, and other industries. MATLAB and Simulink are also fundamental teaching and research tools in the world’s universities and learning institutions. Founded in 1984, MathWorks employs more than 5000 people in 16 countries, with headquarters in Natick, Massachusetts, USA. For additional information, visit mathworks.com.
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks.
Maybe you’ve been making audio software for decades, or perhaps you’ve just finished your first plug-in with JUCE, and now you want people to try it for a certain period of time. Let’s talk about some quick and easy ways to offer trial licenses for your PACE-protected software. By the end of this, you will know several of the ways in which you can provide trial licenses, and some of the methods for delivering those trial licenses.
As a software publisher using the PACE licensing system, you have a lot of control over who can gain access to your software, and how. Whether you want to offer a perpetual license with several activations, or a subscription license only allowed on an iLok USB, or just a timed trial so everyone can try your product before they buy it, you control the ways in which your customers interact with your software.
Let’s explore several ways of distributing trial licenses to customers (and how to implement them) so everyone can enjoy trying your products, including:
Auto-demo is one of the most widely used methods for depositing a trial license into your customer’s iLok account. Why? Because the PACE tools do the work for you.
It starts with the Activation Experience, which is a tool included with PACE Level 1 protection. The Activation Experience is triggered when PACE-protected desktop software is launched, or when a PACE-protected plug-in is scanned by a DAW. If you install a PACE-protected pro audio plug-in and do not yet have a license for it, the Activation Experience will pop up and ask the customer to log into their iLok account. After a user logs in, it will search for any valid license for that product within that iLok account.
If a license is found, Activation Experience will ask the user where it should be activated (iLok USB/iLok Cloud/machine, for example) and continue through the activation process.
If a license is not found, Activation Experience will pop up a ‘Try’ button. When that Try button is clicked, it will automatically deposit a trial license (pre-selected by the publisher) into that iLok account, and then continue with the activation process.
Once you (the Publisher) have set up your trial license and chosen the Auto-demo in your Activation Experience setup, all you need to deliver to the customer is that PACE-protected binary for the customers to gain access to a trial license.
Benefits of Auto-demo:
Built into the PACE SDK is access to an online portal called PACE Central. Among many other tools within PACE Central, (including license creation, trial license time limit setup, iLok account search, etc.) there is the Code Factory. The Code Factory allows you to create and manage activation codes for various licenses, including trials and perpetual licenses. You can create activation codes yourself and distribute them right to your customers.
Once your customer has that code, it can be redeemed one of two ways:
Which one is better? Whichever one your customer prefers. There is a benefit when your customer uses iLok License Manager because it will allow them to see more exactly which location they have activated the license to.
Redeeming a code and activating with iLok License Manager
Redeeming a code and activating with Activation Experience
Once you’ve created a batch of codes, there is the question of how you will deliver those codes to your potential customers. See the Methods of Distribution below for some commonly used ways to get trial licenses to your customers.
Benefits of Activation Codes:
The online portal, PACE Central, allows software publishers to manually deposit licenses directly into any iLok account. Having the ability to quickly deposit a trial license for customer support reasons, or for beta testing and influencer management, can be quite helpful. However, manually depositing trial licenses one by one for your general customer base is not recommended, for the hopefully obvious reason that it will quickly become tedious and time-consuming.
Whether you decide to use Auto-demo or Activation Codes for your trial licenses, there are a few methods of distribution to consider. Once you have a PACE-protected binary, you could easily give out Activation Codes to anyone or, just provide a download link for your installer if you chose the Auto-demo. Why wouldn’t you do that? Because you will want to know who actually tries your software.
People who try your software are your target audience, which means you’ll want to get them to opt in to marketing and promotional emails from you. This will provide you with the ability to:
While the PACE tools provide valuable data on licenses deposited for support purposes, owning your own customer database and knowing each product they have tried and/or purchased will enable you to grow your business and stay connected from the very beginning. Knowing the lifetime value of your customers is crucial for successful planning of marketing and promotional plans.
This option would require someone to either provide an email address, or a full user registration (name, email, etc.) on your website, before you allow them access to the installer for your product. Once that registration is verified, a redirect URL can give access to the installer with the Auto-demo. If you choose Activation Codes, one can be emailed to the customer.
This involves setting up a $0 product in your webstore that requires customers to fill out information and allows you to place a checkbox to try for the opt-in of marketing emails. Once they have ‘purchased’ a trial for that product, the installer can be provided with either the Activation Code to be redeemed, or a link to the installer for your software with the Auto-demo included.
To sum it up, once you’ve decided to protect your desktop application or plug-in with PACE, there are several ways to create and deliver trial licenses to your customers.
As your business grows, there are more advanced options available to centralize the direct sales, dealer sales, and customer registration and installation processes. This would involve having your own code system for users and dealers in a central place with more automated and secure deposits to PACE. This could also include single sign-on and activation in your application. Having all of this data within your own CRM or database will allow for a more seamless customer experience and more upsell opportunities, and remove any potential data privacy issues. PACE clients that make this investment in their infrastructure tend to have great success in growing their business and increasing the lifetime value for each customer.
Our experience has shown that publishers increase sales when they offer prospective customers a trial of their plug-in. To that end, we at PACE have created a licensing platform that offers our publishers the ability to customize the trial and demo experience. By offering multiple ways of creating and delivering licenses, we give our publishers the autonomy to customize the experience that is best for their customers.
For more information on offering trial licenses or how PACE can benefit you and your customers, contact us now.
PACE Anti-Piracy was featured in a recent edition of Cyber Defense Magazine with an article titled “Are We Shifting Left Enough” written by Douglas Kinloch, VP of Business Development.
The term “shift left” is centered on the idea that Application Security efforts are now happening at earlier stages of the development lifecycle. Mr. Kinloch adds to the discussion by raising the questions “how far left does an organization need to shift?”
He writes: “Shift Left” is in danger of becoming a buzz-word, much as “End Point” did 20 years ago. In software development, it is clear that the idea of moving security awareness from traditionally the last thing considered before shipping, to something every developer understands, can implement, and can act accordingly has to be a good thing. “Zero Trust” is another buzzword that may travel hand-in-hand with Shift Left, but as many are beginning to point out there is no single Zero Trust silver bullet, it’s a process. As a process it needs to be the default setting of any designer of any system relying on IT networks, connectivity or software.”
At PACE we are users of software tools that ensure the Licensing products we supply to our customers and partners remains as secure as possible. It is a different approach to most License Management tools where there is an emphasis on process, revenue management and software monetization. It is our belief that if the License Manager can be compromised, then all the software monetization tools in the world can’t maximize revenue or protect developers’ IP.
In order to deliver such security the Developer team at PACE “shifted left” in the early 2000s and delivered iLok License Manager, secured by deep understanding of application code, and use of our Fusion Application Protection tools; Anti-Tamper and Obfuscation. To further secure customers’ IP and revenue streams, White Box Works ensures the security of the cryptographic keys within the entire system.
PACE is now offering the same capabilities to partners across a number of markets, supporting Software POS and High Value Software customers, protecting IP and vitally important business logic from outside interference.
The assumption that compiled app code will be accessed, and that attackers have the tools and skills changes the security calculus completely.
Zero Trust means that developers protecting their code understand that the actual end-point is not the device, or even the application within that device, but is the source code on the developers’ machine - before it’s even compiled. So when you decide to Shift Left, as we did, ask yourself, “how far?”
Find the full article in Cyber Defense Magazine.
For more information on how PACE tools can help your organization shift left, contact us.
