Over a decade ago, white-box cryptography was developed to provide a more cost-effective and flexible alternative to hardware security cards used by Cable and Satellite TV companies for secure Conditional Access. Since then, the applications of white-box cryptography have expanded to securing various other technologies, including mWallet and mPOS apps, AI algorithms, and Digital ID applications.
White-box cryptography has traditionally been associated with those uses, protecting either the encryption keys for streaming TV user authentication, or the token exchange required by digital ID solutions. The white-box protects the keys that manage the encryption of data required by the service provider, and the decryption of the user-required data. The white-box library helps to both manage this process and store the keys.
But the potential power of white-box cryptography goes far beyond this narrow use case. While code and data obfuscation is often used to protect other areas of application code, it is not enough to protect important secrets within a compiled application. Obfuscated data is de-obfuscated in memory when it is actually used, which is, of course, where the bad guys attack using off-the-shelf software debugging and other tools. A white-box, on the other hand, is designed to be secure at rest and in use.
Historically, white-boxes were only useful for protecting encryption keys for specific cryptographic algorithms. But if white-box cryptography could be applied to more than just cryptographic algorithms, and implemented in a flexible way that managed code-bloat and performance issues, it could become a powerful tool for for software developers and DevSecOps teams to protect companies' intellectual property and customers' critical information. Unfortunately, no such white-box existed, until now.
PACE Anti-Piracy recognized the potential of white-box cryptography early on, and adopted white-boxes extensively to secure our licensing platform. However, early whiteboxes were extremely limited and cumbersome, leading PACE to develop an entirely new white-box technology that we now use to secure a wide range of code at rest and in use. To help explain this new technology, we refer to white-box technologies by generation.
First-generation white-box libraries were pre-built to specific developer specifications, with a single or very limited choice of cryptographic algorithms. Any changes or updates were provided as a chargeable service, subject to vendor workload.
Second-generation on-premises toolkits allowed developers to build white-boxes on-demand, with improvements in cost and speed of updates or changes. However, they still supported limited cryptographic algorithms without a custom implementation and associated NRE costs.
PACE envisioned a new, third generation: an on-premises toolkit with the ability to protect any algorithm and/or secret and the flexibility to let developers white-box any C code, creating unique new security techniques and capabilities at need.
Developers can now build white-boxes on demand, securing their mission-critical intellectual property
Our vision has now become a reality with White-Box Works, an on-premises toolkit that can transform any code expressed in C into a secure white-box variant. Developers can now build white-boxes on demand, securing their mission-critical intellectual property at multiple locations throughout the application’s architecture and providing a new level of security that was previously unavailable. With White-Box Works, PACE has pioneered a new approach to white-box cryptography that has the potential to revolutionize how companies protect their valuable information.
At PACE, we eat our own dogfood. We protect the code within our licensing solution with White-Box Works, adding to the security already provided by our well-established “Web of Trust” PKI infrastructure. This has allowed us to deploy tens of thousands of white-boxes across thousands of protected applications, which would have been impractical using any legacy first-generation white-box, and challenging even for second-generation solutions. Having overcome these challenges, we can present White-Box Works as the only third-generation solution.
The same challenges that PACE faced in successfully protecting our own license management solutions also feature strongly in a number of use-cases where white-box cryptography is recommended, or is even part of regulatory specifications.
White-Box Works goes even further than simply delivering the required protection.
PACE customers in mobile payments and financial services can rely on the flexibility and 3rd-party-tested security capabilities of White-Box Works to protect their applications, particularly in the fast-growing mobile point of sales market. In this sector, regulators such as PCI and EMVCo mandate the use of white-box technology to safeguard consumers' personally identifiable information and prevent fraudulent attacks. But White-Box Works goes even further than simply delivering the required protection of cryptographic functions, to secure other secrets including access to APIs and other sensitive code running on inherently insecure COTS mobile devices.
Digital ID solutions require secure cryptography to authenticate and exchange credentials, as well as managing other vital “secrets” in order to deliver a trusted service to their users - the end user citizen, the issuing authority, and the service provider. This use-case is similar to mobile payments in that it poses a significant challenge for open mobile consumer devices that lack traditional hardware security. The only control the service provider has over the security of the solution is the exchange of various secrets within the software application, which has to be supplied via an open-to-all app store where bad actors can also download the apps in order to analyze and develop attacks.
White-Box Works offers unparalleled software-based security that not only protects critical cryptography, but can also protect other secrets within the application, secure the communications to the cloud, and even protect cloud end-points.
In the market for DRM and conditional access, where the principles of white-box cryptography were originally created, first-generation white-box is well understood, but these early solutions are restrictive and come with significant "white-box taxes" for developers when a third party is paid to deliver secured white-box libraries. Licensors often require white-box technology as part of their contract with the software developers, and quite reasonably expect that the developers’ cryptographic software will protect their IP. But how can any developer feel in control of their product, with a legally binding agreement with their customer behind it, if they don’t know what is in the third-party library, how that fits into their supply chain processes, how quickly they can change keys, or what it might cost to do so?
Development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions.
With White-Box Works, development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions. With White-Box Works’ modern, third-generation approach, developers can build white-box code at will to protect more than just crypto keys, creating complex architectures using multiple white-boxes and ensuring maximum software security for their licensors.
PACE also deploys secured code in the cloud to protect our own services. After all, who truly trusts someone else's computer? No matter who the public cloud solution provider is, there have been breaches. It’s human nature for errors to creep in, and cloud instances are no more inherently secure than any other platform, especially where multiple tenancy is the norm. Some encryption may be used to protect communication between applications, data sources and the outside world, but the encrypt/decrypt cycles between these apps, APIs, or external end-points are vulnerable to attacks if the encryption key is easily determined by statistical analysis. This can potentially open up the entire network, leaving your sensitive data and services vulnerable to hackers.
White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services
By using White-Box Works to secure the code in the cloud, development teams can significantly enhance their protection against such attacks. PACE’s new approach to "white-boxing" the code makes it much more difficult to reverse engineer or tamper with, and the ability to generate new white-boxes on demand is especially crucial in a cloud environment where creative developers and architects may need to modify the code and to cope with new use-cases, especially as artificial intelligence and machine learning grow in use. White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services from potential breaches.
In the last decade, white-box cryptography has evolved from simply being a flexible alternative to hardware security cards, to secure other technologies including software applications. PACE has overcome the limitations of first and second-generation white-box technologies to secure our own products and services, and now leverages that development to bring a third-generation solution to market in White-Box Works, an on-premises toolkit that can transform any C code into a secure white-box variant on demand, providing a whole new level of security that was previously unavailable. With use cases in mobile financial services, digital ID, DRM, cloud solutions, and more, we offer unparalleled software-based security to protect much more than a single cryptographic algorithm from the most current cryptographic attacks such as Side Channel and Statistical Analysis.
For more on how PACE Anti-Piracy can support your licensing and application security needs, contact us.
Freehand Graphics is a global leader in software solutions for the screen-printing industry. Some of their software, notably Separation Studio NXT and AccuRIP Emerald, makes pre-press functions, like color separation, a simple and easy process for their customers.
As art students living in New York City, Charlie and Laura Facini were interested in making a career in the arts. Charlie was interested in printmaking and took a part-time job at a screen-printing shop to earn some extra money. Technology was quickly changing during this time, and screen printing was beginning to transition from a completely manual process to digitization. The industry was changing, and Charlie was at the forefront. While working daily to process orders, manually adjusting colors and specs, Charlie realized that parts of the screen-printing process were extremely time-consuming and error-prone. He decided to embrace the innovation that was happening around him with computers and technology and write a computer program to optimize the process.
Charlie wrote a program that would ultimately revolutionize screen-printing. What would normally take 3 labor-intensive days of work, Charlie’s program allowed to be done in less than an hour. Having discovered such a time-saving and efficient tool, Charlie’s screen-printing shop (which he now owned with his wife Laura) was able to process more orders and ultimately make more money. The next step – could he sell this program to other screen-printing shops?
In 1995, Freehand sought a way to distribute its software securely with a licensing system. PACE helped Freehand set up a secure licensing model that allowed customers to try the software, and later to buy it. The ability to ‘wrap’ their code with PACE’s unique architecture gave Freehand the security and flexibility it needed for trial extensions, ensuring prospects had enough time to evaluate the product and eventually buy.
In 2007, after joining forces with a new developer, Freehand decided to move toward a home-grown licensing model and no longer use PACE.
A shortfall of the home-grown licensing system was the lack of a robust license control center. With limited ability to help clients activate or deactivate software in response to local hardware issues, Freehand actively looked to improve the UX and to enhance customer service.
Free trials are at the core of many software sales strategies. For Freehand Graphics, nearly all sales are preceded by an 8-day trial. One drawback to the home-grown licensing system was that when a potential customer downloaded the trial, Freehand couldn't easily turn off access once the trial was over. People evaluating the software could, in some cases, still have access even though their trial period was over.
Freehand Graphics also offered a ‘chargeback guarantee’ – allowing customers who purchased their products to get their money back if they were not satisfied. Although a rare occurrence, when a customer did ask for a chargeback, there wasn’t an easy way to completely turn off access. A customer chargeback should have triggered the end of the license use, but the system in place did not offer that ability.
Finally, in 2019 Freehand decided to move from perpetual licenses to a subscription model. The need to make this change stemmed from a goal to create more features and a better user experience for customers. Charlie added “Perpetual is an ugly word when you are trying to create recurring revenue for a software product.” It was this decision that ultimately brought them back to PACE.
"With PACE, clients in good standing continue to benefit from using Freehand software, while those without an active license no longer have access. Freehand benefits from knowing that software activated means profits retained, while users enjoy the freedom and power of 24/7/365 web-based license controls."
The return to PACE Licensing not only helped Freehand’s new business model create recurring revenue and growth, but it also resulted in a better experience for their end-users. PACE iLok License Manager delivered a better UX for end-users, who are now more self-sufficient. This has resulted in a significant decrease in some support requests and eliminated other support issues altogether. This, in turn, has allowed Freehand to focus more on product and development.
When asked what role professional security and licensing have on Freehand Graphics, Charlie Facini responded
“Without question, our products would not exist in this form in a digital age. It is impossible. You can’t let someone trial software without security, you can’t sell without security. Without proper security, you have an open-ended sale. PACE Anti-Piracy gave us something we never had in the past... mental security.”
For more information on how PACE Anti-Piracy can help with your licensing needs, contact us!
