THANK YOU FOR SUBSCRIBING
The most common approach to secure point to point data transportation is Black Box Cryptography [https://en.wikipedia.org/wiki/Black_box], also known as secure tunneling. It converts incoming traffic to a ciphered stream according to publicly known mathematical algorithms. The secrecy is achieved via a secret key which is used as a parameter for the coding algorithms.
The following assumptions are made:
1. The encryption algorithm is one of the standard well-defined algorithms (e.g., AES 256 [https://en.wikipedia.org/wiki/Advanced_Encryption_Standard]) which may be implemented by COTS (Commercial-Off-The-Shelf) hardware or software.
2. The secret key(s) are kept in a trusted location and are reachable only by the sender and the receiver. If attackers get the keys and intercept the traffic, they can not only decrypt it but also modify and encrypt again, thus sending malicious traffic to the receiver.
The huge amount of sophisticated cyber-attacks we are facing has clearly marked the tendency of “insider’s threats”. Insiders open back doors to attackers (unintentionally or maliciously). Insiders do so by opening some emails, clicking a link, connecting an external disk, etc.. A malware gets access to internal network and can open a backdoor through the management port of the security equipment itself, a severe cyber threat. From this point, getting the encryption keys of the company’s firewall (or other encryption device) is just the matter of time. It usually takes several hours for hackers to access the information and several months for victims to realize that their data has been hacked.
A new approach to encryption, remediating such vulnerability, is White Box Cryptography (WBC).
WBC is used mostly with standard VPN [https://en.wikipedia.org/wiki/Virtual_private_network] tunneling (or other standard algorithms) to protect against insiders who know the secret keys and tunnel parameters. WBC is applied on both sides of the secure tunnel: on the WAN [https://en.wikipedia.org/wiki/Wide_area_network] side of the standard firewall (or other border element that provides the tunneling) and on the second side of the tunnel. WBC changes the bits of the encrypted payload according to certain mathematical transformation. The offsets and lengths of inverted data patterns will be changing constantly. The best security is achieved when the encryption parameters are changed every frame. But the frequency of the change may vary for different implementations. WBC may be implemented both through hardware or software. In the case of software implementation, there is always a risk of reverse engineering if hackers take control on the operating system. The hardware implementation should work fully autonomously without any human intervention, without any interface with protected endpoint and without visibility on the network (no addresses, no latency). The decryption device on the opposite side of the tunnel will not be able to decrypt the frame if it has not passed through the “correct” WBC procedure. This approach assumes no predefined encryption keys. The keys are constantly generated by using mathematical transformations. These transformations remain secure even if the attacker got control over the internal network. The way each WBC encryption works is unique and differs for different vendors. The following schema depicts the correct usage of WBS procedure.
In the case of attempts to build the tunnel using correct secret keys but without WBC procedure the border element at the receiver’s side will not be able to decrypt the message:
Key generation for WBC is based on robust pseudo-random procedure (e.g., Maclaurin series [https://en.wikipedia.org/w/index.php?title=Taylor_series&redirect=n]
with independent changeable parameters.
Each WBC has the ability to identify the changeable keys for every ciphered frame. No preloaded keys are allowed.