Intertrust announced the launch of whiteCryption Secure Key Box (SKB) for Web at the RSA Conference 2020. The first and only enterprise-ready white-box cryptography solution for web applications, it ensures that web apps can be used without fear of exposing the underlying keys and credentials to cyberattack.
It protects cryptographic keys even when running on a compromised host, and provides stronger and broader protection than low-level interfaces, such as the Web Crypto API, which do not secure against side-channel and other attacks running outside the browser.
“A lot of people think that by using cryptography they are securing their systems, but what they often don’t realize is that they are merely shifting the problem of data protection to protecting the keys,” said Bill Horne, general manager of the Secure Systems product group at Intertrust.
“Secure Key Box for Web prevents hackers from stealing keys from Web applications, resisting existing and future side-channel and fault injection attacks with ‘drop-in and go’ ease that requires no additional operations or protocols.”
Information shared via a browser often needs to be encrypted to ensure rogue actors cannot access proprietary data and systems, impersonate a legitimate user, generate fraudulent digital signatures, or modify or create entirely false data and transactions.
For example, applications increasingly use APIs to interact with server-side applications, yet browser APIs and third-party cryptographic libraries cannot protect keys from attacks on the underlying host without having access to underlying hardware security support.
Hackers are able to obtain keys through various techniques including scanning memory at runtime for keys, or examining code to find hard-coded keys, and then employ the same key in attacks against the server.
The solution prevents application attacks by enabling standard cryptographic functions to be performed without the keys ever being exposed whether in use or at rest. SKB for Web also protects keys and credentials from side-channel attacks by making them safe from exploits running within the browser, as well as natively on the PC or device.