Over a decade ago, white-box cryptography was developed to provide a more cost-effective and flexible alternative to hardware security cards used by Cable and Satellite TV companies for secure Conditional Access. Since then, the applications of white-box cryptography have expanded to securing various other technologies, including mWallet and mPOS apps, AI algorithms, and Digital ID applications.
White-box cryptography has traditionally been associated with those uses, protecting either the encryption keys for streaming TV user authentication, or the token exchange required by digital ID solutions. The white-box protects the keys that manage the encryption of data required by the service provider, and the decryption of the user-required data. The white-box library helps to both manage this process and store the keys.
But the potential power of white-box cryptography goes far beyond this narrow use case. While code and data obfuscation is often used to protect other areas of application code, it is not enough to protect important secrets within a compiled application. Obfuscated data is de-obfuscated in memory when it is actually used, which is, of course, where the bad guys attack using off-the-shelf software debugging and other tools. A white-box, on the other hand, is designed to be secure at rest and in use.
Historically, white-boxes were only useful for protecting encryption keys for specific cryptographic algorithms. But if white-box cryptography could be applied to more than just cryptographic algorithms, and implemented in a flexible way that managed code-bloat and performance issues, it could become a powerful tool for for software developers and DevSecOps teams to protect companies' intellectual property and customers' critical information. Unfortunately, no such white-box existed, until now.
PACE Anti-Piracy recognized the potential of white-box cryptography early on, and adopted white-boxes extensively to secure our licensing platform. However, early whiteboxes were extremely limited and cumbersome, leading PACE to develop an entirely new white-box technology that we now use to secure a wide range of code at rest and in use. To help explain this new technology, we refer to white-box technologies by generation.
First-generation white-box libraries were pre-built to specific developer specifications, with a single or very limited choice of cryptographic algorithms. Any changes or updates were provided as a chargeable service, subject to vendor workload.
Second-generation on-premises toolkits allowed developers to build white-boxes on-demand, with improvements in cost and speed of updates or changes. However, they still supported limited cryptographic algorithms without a custom implementation and associated NRE costs.
PACE envisioned a new, third generation: an on-premises toolkit with the ability to protect any algorithm and/or secret and the flexibility to let developers white-box any C code, creating unique new security techniques and capabilities at need.
Developers can now build white-boxes on demand, securing their mission-critical intellectual property
Our vision has now become a reality with White-Box Works, an on-premises toolkit that can transform any code expressed in C into a secure white-box variant. Developers can now build white-boxes on demand, securing their mission-critical intellectual property at multiple locations throughout the application’s architecture and providing a new level of security that was previously unavailable. With White-Box Works, PACE has pioneered a new approach to white-box cryptography that has the potential to revolutionize how companies protect their valuable information.
At PACE, we eat our own dogfood. We protect the code within our licensing solution with White-Box Works, adding to the security already provided by our well-established “Web of Trust” PKI infrastructure. This has allowed us to deploy tens of thousands of white-boxes across thousands of protected applications, which would have been impractical using any legacy first-generation white-box, and challenging even for second-generation solutions. Having overcome these challenges, we can present White-Box Works as the only third-generation solution.
The same challenges that PACE faced in successfully protecting our own license management solutions also feature strongly in a number of use-cases where white-box cryptography is recommended, or is even part of regulatory specifications.
White-Box Works goes even further than simply delivering the required protection.
PACE customers in mobile payments and financial services can rely on the flexibility and 3rd-party-tested security capabilities of White-Box Works to protect their applications, particularly in the fast-growing mobile point of sales market. In this sector, regulators such as PCI and EMVCo mandate the use of white-box technology to safeguard consumers' personally identifiable information and prevent fraudulent attacks. But White-Box Works goes even further than simply delivering the required protection of cryptographic functions, to secure other secrets including access to APIs and other sensitive code running on inherently insecure COTS mobile devices.
Digital ID solutions require secure cryptography to authenticate and exchange credentials, as well as managing other vital “secrets” in order to deliver a trusted service to their users - the end user citizen, the issuing authority, and the service provider. This use-case is similar to mobile payments in that it poses a significant challenge for open mobile consumer devices that lack traditional hardware security. The only control the service provider has over the security of the solution is the exchange of various secrets within the software application, which has to be supplied via an open-to-all app store where bad actors can also download the apps in order to analyze and develop attacks.
White-Box Works offers unparalleled software-based security that not only protects critical cryptography, but can also protect other secrets within the application, secure the communications to the cloud, and even protect cloud end-points.
In the market for DRM and conditional access, where the principles of white-box cryptography were originally created, first-generation white-box is well understood, but these early solutions are restrictive and come with significant "white-box taxes" for developers when a third party is paid to deliver secured white-box libraries. Licensors often require white-box technology as part of their contract with the software developers, and quite reasonably expect that the developers’ cryptographic software will protect their IP. But how can any developer feel in control of their product, with a legally binding agreement with their customer behind it, if they don’t know what is in the third-party library, how that fits into their supply chain processes, how quickly they can change keys, or what it might cost to do so?
Development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions.
With White-Box Works, development teams are no longer stuck between contractual obligations to their customers and the limitations of first-generation solutions. With White-Box Works’ modern, third-generation approach, developers can build white-box code at will to protect more than just crypto keys, creating complex architectures using multiple white-boxes and ensuring maximum software security for their licensors.
PACE also deploys secured code in the cloud to protect our own services. After all, who truly trusts someone else's computer? No matter who the public cloud solution provider is, there have been breaches. It’s human nature for errors to creep in, and cloud instances are no more inherently secure than any other platform, especially where multiple tenancy is the norm. Some encryption may be used to protect communication between applications, data sources and the outside world, but the encrypt/decrypt cycles between these apps, APIs, or external end-points are vulnerable to attacks if the encryption key is easily determined by statistical analysis. This can potentially open up the entire network, leaving your sensitive data and services vulnerable to hackers.
White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services
By using White-Box Works to secure the code in the cloud, development teams can significantly enhance their protection against such attacks. PACE’s new approach to "white-boxing" the code makes it much more difficult to reverse engineer or tamper with, and the ability to generate new white-boxes on demand is especially crucial in a cloud environment where creative developers and architects may need to modify the code and to cope with new use-cases, especially as artificial intelligence and machine learning grow in use. White-Box Works adds an extra layer of security to cloud solutions and protects sensitive data and services from potential breaches.
In the last decade, white-box cryptography has evolved from simply being a flexible alternative to hardware security cards, to secure other technologies including software applications. PACE has overcome the limitations of first and second-generation white-box technologies to secure our own products and services, and now leverages that development to bring a third-generation solution to market in White-Box Works, an on-premises toolkit that can transform any C code into a secure white-box variant on demand, providing a whole new level of security that was previously unavailable. With use cases in mobile financial services, digital ID, DRM, cloud solutions, and more, we offer unparalleled software-based security to protect much more than a single cryptographic algorithm from the most current cryptographic attacks such as Side Channel and Statistical Analysis.
For more on how PACE Anti-Piracy can support your licensing and application security needs, contact us.
Solid State Logic (SSL) is a world leading manufacturer of advanced audio production systems for studio, live sound and broadcast. With more than 3000 SSL-equipped facilities operational today, SSL consoles and recording studio hardware and software are universally recognised for their reliability and outstanding sound quality.
Founded in 1969, SSL has seen an interesting evolution in its product offering . The name “Solid State Logic” was originally derived from their first product - a switching system for pipe organs. 7 years later, the product line expanded to include the first A-series console in 1976, and a big breakthrough with the SL 4000 E Series in 1979. Variants of this console followed, transforming the way music was recorded, and creating an international gold standard in music engineering hardware.
1985 marked the beginning of an era of digital research and development, leading to the development of the 01 - an eight channel recorder/editor. Three decades of continuous innovation landed Solid State Logic not only as a leader in recording hardware, but also professional studio software - both analogue and digital.
Although SSL is most famous for its rich legacy in analogue studio hardware, the company also has extensive experience in digital audio and DSP development. As the industry grew beyond dedicated hardware-hosted DSP, the release of the ‘SSL Native’ plug-ins signaled SSL’s first steps into the Digital Audio Workstation software marketplace - including the legendary Bus Compressor and Channel Strip plug-ins, inspired by sought-after sound of the SL 4000 E-series analogue console.
The entrance into the software marketplace marked the beginning of a relationship between Solid State Logic and PACE Anti-Piracy. In early 2011 SSL needed a licensing solution for their software and evaluated PACE’s early product InterLok. SSL needed a Machine Based Licensing solution, a solution which PACE was still developing, and ultimately SSL chose an alternative licensing platform.
It is important to note that license management platforms hold a variety of responsibility on many different levels. Not only does a platform have to securely distribute licenses to end users, the platform must also stay up to date with the latest operating system releases. "Customers are expecting things to work in their environment. In the audio industry, customers often need to avoid upgrading their computers for backcompatibility reasons between sessions. Supporting all of these environments ends up being maintenance and testing for the developer and you need a platform that can target all these things and is going to work. There are a lot of changes to keep up with. I don't think this would be possible were we doing all of this in house!” remarked Jon Sandman, Product Manager at SSL.
In 2013 an OS release caused a variety of issues with the SSL licensing system. The licensing vendor SSL had chosen was unable to maintain the software updates needed to continue uninterrupted service and a good user experience when a major release occurred. The issues caused the team at Solid State Logic to reach back out to PACE Anti-Piracy. “We needed a solution that was widely supported and from a supplier that made the integration process fast and straightforward. We had already used proprietary and less well known securitization solutions, and familiarity and market acceptance had been seen as barriers to success.”
By this time, PACE had developed and released Eden - a robust license management system with Machine-Based Licensing and security - exactly what SSL needed. James Motley, Head of Workstation Products at SSL at the time, was concerned about the cost to migrate license management platforms to PACE, and the effect it would have on business. PACE was able to work with the SSL and Audiotonix team to create flexible pricing and tiers.
When asked why SSL chose to go to PACE for their licensing needs, Jon Sandman said “We were aware of a number of successful companies using PACE security solutions in our industry. Many of our customers were already familiar with PACE, and so in looking for a securitization solution, PACE was an obvious choice.” When asked why SSL did not choose an alternative licensing solution, Jon continued “Market acceptance is important to us. Securitization and piracy prevention measures are a sensitive subject for our customers, and since PACE had already achieved acceptance with users and established themselves as a leader in our industry, a significant hurdle was overcome from the offset.”
“It is especially important to SSL that we also protect our IP. Emulations of SSL hardware, for example - if someone were to pick the software apart, then it would be a real shame for the dedicated plug-in development and DSP team that we have here at SSL.”
In addition to offering security and licensing services, the PACE Anti-Piracy brand also houses JUCE - an open-source cross-platform C++ application framework, used for the development of desktop and mobile applications. JUCE has been an integral part of the SSL software development framework. SSL has expanded software plug-in development - going from 10 plug-ins, to regularly releasing on average 2 plug-ins every quarter bringing the current total to 22.
“Not only our plug-ins, but our desktop application is in JUCE - the virtual mixer. We are reaping some of the benefits of the JUCE framework - including graphics improvements - in our SSL 360° desktop application and our new 4K B plug-in which used the latest JUCE release. The 4K B channel strip plug-in is an analogue model of the SL 4000 B-series console channel - an entirely new SSL channel strip for your productions - complete with 360° Plug-in Mixer (your virtual SSL console) and first-class integration with the SSL UC1 and UF8 for hands-on control.”
With PACE’s acquisition of JUCE also came the stewardship of the Audio Developer Conference (www.audio.dev). ADC will host its 7th annual conference in London and Online this year November 14 -16, 2022.
Solid State Logic supported the mission of the Audio Developer Conference with silver sponsorships in 2021.
The SSL team participated both online and in-person during the conference, presenting a talk How to Stand the Test of Time (Despite The Time it Takes to Test) by Jon Sandman. When asked why the Audio Developer Conference is important, Jon remarked “It is great to connect with the people that make the products you love.”
“I’ve always had an interest in accessibility and UX. It is a pretty broad subject, and going to ADC and actually connecting with experts in that field inspired me, and gave me a mental roadmap of what we can do and what our focus can be, which is important for me as a Product Manager.”
PACE Anti-Piracy brings a standard in professional audio software licensing that many companies rely on. We take great pride in working with organizations like Solid State Logic to ensure their software licensing needs are met. In addition, we are honored to expand our connection to SSL through our brands JUCE and the Audio Developer Conference. We look forward to a continued partnership on all levels!
For more information on the new SSL 4K B plug-in, please visit: https://www.solidstatelogic.com/products/ssl-4k-b
For more information on the Audio Developer Conference visit https://audio.dev
PACE Joins the MathWorks Connections Program, Allowing MATLAB Users to Monetize Their Projects
Silicon Valley, CA – PACE Anti-Piracy, creator of the iLok and PACE Licensing Platform, announced today that it has become a member of the MathWorks Connections Program. MathWorks is the world's leading developer of technical computing software for engineers and scientists.
MathWorks Connections Membership Gives MATLAB Compiler Users Full-Scale Support to Commercially Distribute their Application with a Licensing and Security Solution.
The MathWorks Connections Program is available to third-party organizations that develop complementary products that integrate and add to the existing feature set of MATLAB®, a programming and numeric computing platform used by millions of engineers and scientists to analyze data, develop algorithms, and create models. These partner offerings address technical needs across a wide range of applications and industries worldwide with software and hardware products that extend the usage of MATLAB and Simulink®. These solutions seamlessly integrate with MathWorks products and ensure ongoing compatibility with new platform releases.
PACE Anti-Piracy brings nearly four decades of application security and licensing experience to the MATLAB market. With over 140 million licenses secured, PACE is extending its platform support to include MATLAB Compiler projects. PACE Anti-Piracy’s licensing solution delivers support for:
PACE allows MATLAB users to have the peace of mind that their IP and software are protected and offers a platform to commercialize and monetize their compiled MATLAB Applications.
“Our MATLAB integrated solution extends PACE’s respected security and licensing platform that currently services industries such as Fintech, Medical, Industrial Software, and Media Entertainment,” said Patrick DiFerdinando, VP of Sales. “We were approached by MATLAB users seeking a bespoke licensing solution. As a result, PACE created a standardized solution to meet the needs of MATLAB users. We are pleased to join the MathWorks Connections Program and offer our security expertise to the scientists and engineers that wish to sell their software.”
PACE Anti-Piracy is a global leader in robust Application Protection and flexible Software Licensing Management Solutions. Since 1985, PACE has provided software developers and distributors with high value products, automated solutions for anti-piracy protection and secure software distribution. In response to market demands for stronger security products, PACE has expanded its product line to offer White-Box Cryptography (WBC) and Runtime Application Security Protection (RASP) solutions. PACE's products and services are trusted by thousands of software developers supporting millions of end users around the world.www.paceap.com
For further information on how to monetize your MATLAB, please contact: [email protected]
MathWorks is the leading developer of mathematical computing software. MATLAB, the language of engineers and scientists, is a programming environment for algorithm development, data analysis, visualization, and numeric computation. Simulink is a block diagram environment for simulation and Model-Based Design of multidomain and embedded engineering systems. Engineers and scientists worldwide rely on these products to accelerate the pace of discovery, innovation, and development in automotive, aerospace, communications, electronics, industrial automation, and other industries. MATLAB and Simulink are also fundamental teaching and research tools in the world’s universities and learning institutions. Founded in 1984, MathWorks employs more than 5000 people in 16 countries, with headquarters in Natick, Massachusetts, USA. For additional information, visit mathworks.com.
MATLAB and Simulink are registered trademarks of The MathWorks, Inc. See www.mathworks.com/trademarks for a list of additional trademarks.
PACE Anti-Piracy Inc., is pleased to announce full Native Apple Silicon support. After significant development and rigorous testing, iLok copy protection tools are now fully Apple Silicon compatible. The latest license support software update now includes full M1 support, along with existing support for Intel-based Mac OS systems. This release enables plug-in makers and publishers to update their products that have native M1 support with full license protection.
“We knew our publishers were keen on taking advantage of M1 Pro and M1 Pro Max devices and its impact on the creative community and their workflows. This was a top priority for our engineering team - and it was a big job. We are really happy about this release.” said Allen Cronce, CEO PACE Anti-Piracy, regarding the announcement.
In addition, if you are using iLok License Manager version 5.5 or newer, you can now request a machine activation reset from within iLok License Manager. The publisher will still need to approve the request.
iLok is part of the PACE Anti-Piracy licensing platform which enables publishers to distribute their licenses securely via cloud, machine, or iLok hardware. Secure license distribution also requires different layers of protection, including a high security tamper-protection solution called Fusion. The work surrounding Fusion was very complex and required significant changes at the OS Level.
About PACE Anti-Piracy
PACE Anti-Piracy Inc., is an industry leader in providing robust software copy protection and flexible license management services, is a privately held company based in Silicon Valley, California. Since 1985, PACE has provided software publishers and distributors with easy-to-use high-quality solutions for anti-piracy protection and secure software distribution. PACE's products and services are used by an ever-growing number of world-class software publishers around the world.
Next-gen ‘White-Box Works’ code generator launches complete with EMVCo Software-Based Mobile Payment security evaluation certificate
1st March 2022 - San Jose, California - Banks, payment service providers (PSPs), schemes, and other financial institutions can now benefit from a uniquely high level of sensitive data protection and application attack resistance, following today’s launch of White-Box Works, a next-generation EMVCo-evaluated White-Box code generator, from PACE Anti-Piracy.
Unlike traditional solutions, White-Box Works gives the customer complete, independent control over their protected code, ensuring their encryption keys and proprietary algorithms never leave the customer’s premises. White-Box Works can transform any C-code into a protected white-box variant in a single step, offering unparalleled flexibility, security, and efficiency.
This level of in-house control also promises to increase operational efficiency for the customer, since they are no longer beholden to a white-box library vendor’s build schedule and can develop their application in accordance with their internal schedules. It also enables the customer to use, replace and update their deployed encryption keys and algorithms at will, with no need to re-engage PACE Anti-Piracy, or any other third-party vendor, to do so.
White-Box Works has been designed to defeat a variety of sophisticated attacks, including those involving reverse engineering, fault injection, and advanced statistical analysis (such as Differential Computation Analysis).
White-Box Works outputs code that has been designed to defeat a range of attacks to which many encryption-dependent financial apps remain vulnerable, including, for example, those supporting mobile payments, digital identity, self-service retail, and softPOS use-cases.
White-Box Works has also achieved an EMVCo Software-Based Mobile Payment (SBMP) security evaluation certificate, following a successful EMVCo SBMP Evaluation conducted by global security lab, Riscure.
“Statistical Analysis attacks are the bane of all white-box encryption protection solutions,” comments Allen Cronce, CEO of PACE Anti-Piracy, Inc. “We are very proud to be equipping the financial services industry with a solution capable of addressing these and other vulnerabilities. White-Box Works represents a significant step forward in the encryption protection space, and will give banks, PSPs, schemes, and other financial sector users greater confidence in the security of their sensitive data. We’re also delighted to accompany the launch with news of White-Box Works’ EMVCo SBMP evaluation certificate and are grateful to Riscure’s talented penetration testers. The entire Riscure team has been a pleasure to work with throughout the rigorous EMVCo evaluation process.”
“Riscure is proud to have assisted PACE Anti-Piracy in achieving an EMVCo SBMP evaluation certificate for White-Box Works,” adds Maarten Bron, Managing Director of Riscure North America. “This innovative technology provides a unique security capability for solution developers as it supports the creation of white-box instances for any algorithm, allowing for optimal flexibility and developer freedom when the protection of cryptographic keys is vital. This makes White-Box Works not only useful in payments, but also in other fields such as digital rights management, eHealth, IoT, automotive and more.”
“It's also noteworthy that White-Box Works was evaluated as a stand-alone technology and did not require the additional protection of binary hardening and tamper-proofing technology to receive an EMVCo security evaluation certificate,” adds Allen Cronce. “I believe this is another industry first for White-Box Works. It’s an unmatched achievement we are immensely proud to highlight.”
White-Box Works is available now. For more information, please visit our White-Box Works webpage or contact PACE Anti-Piracy at [email protected].
About PACE Anti-Piracy, Inc.
PACE Anti-Piracy, Inc. is a privately held company based in San Jose, California. Since 1985, PACE has provided software publishers and distributors with high-quality solutions for secure software distribution. PACE products are used by a growing number of world-class software publishers around the world.
About Riscure
Founded in 2001, Riscure is a leading global advisor on the security of connected and IoT devices, as well as a recognized vendor of advanced security testing tools and security training. Riscure helps customers around the world to build robust hardware and software solutions and to speed up the process of secure development and certification. Riscure is the thought leader in Mobile Security and has been the front runner on security analysis of White-box Cryptographic implementations since 2012.
www.riscure.com
