Check out this blog article from ScotlandIS member, PACE Anti-Piracy, discussing Key Rotation as a new level of cloud security and the challenges it can pose.
Encryption has become the most critical technique used in the protection of data and critical secrets across the Internet. Without reliable, secure, and manageable encryption techniques, the Internet and cloud services, upon which so many services, markets, and companies depend, will be at risk.
The challenge for any use of encryption is the potential compromise of the key. If the key can be compromised, the encryption will be broken, and the system can be brought down. Therefore, the protection of keys is critical, especially in a large, cloud-focused organization that generally combines Hardware Security Modules (HSMs) and perimeter network protection techniques.
But, in the world we presently inhabit, those keys often need to be used outside the protected perimeter. Indeed, in cloud services, IoT, blockchain, and other networked services, it is essential that these keys can be shared and used both within the perimeter and out in the big bad world. As a result, most cloud service providers and organizations will implement a technique known as Key Rotation.
Key Rotation is relatively simple in principle. It is like changing the locks on your home, but doing so every day, week, or month so that any lost house keys can’t be used by a finder. Of course, the techniques and technologies used to achieve this aren’t quite like having a locksmith on speed-dial, but it’s close!
Key Rotation has become good practice in cloud services and is a known, trusted security technique.
Key Rotation Challenges
There are challenges for Key Rotation in some industries. We’ve already discussed that once outside the perimeter, it’s a jungle, but when the devices connecting to a network and providing services are truly at the edge of a network, they are open to falling into the wrong hands and being accessed by intruders. These cases range from IoT devices on Medical, Industrial & SCADA systems, to the apps on the mobile device in your pocket.
Keys can be Rotated on external devices, whether ‘always on’ or not. However, specialist architectures are required, including hardware solutions such as HSMs, Trusted Execution Environments, and Secure Elements, as well as software techniques such as white-box cryptography.
Key Rotation for Mobile Payments
Let’s look at one of these use-cases a little more closely: Mobile Payments. The ability for consumers to make a payment to a merchant for goods or services from a mobile device has revolutionized the way many consumers shop—vastly accelerated by the pandemic. And with the new MPOC (mPOS – Mobile Point of Sale) specifications from PCI, merchants can accept payment directly on their own regular mobile devices. This opens up new avenues for Payment Service Provider (PSP) companies to expand and enhance their own services.
There are several interlocking and complimentary security technologies that are acceptable to the regulators of the payment rails. PCI sets out the various hardware and software combinations that allow the services to be delivered to ordinary account holder consumers, designed to protect the transaction and prevent fraud of the consumer or the merchant.
In order to deliver the additional security their PSP customers deserve from Key Rotation, Mobile Payment and mPOS developers must regularly change their underlying cryptographic key within their apps and push an update to their users via the app stores.
Simple, yes?
Well, yes and no…
Yes, releasing a new version through the App Store or Play Store is standard procedure and should be second nature to any developer…
And no, there are some challenges to changing the cryptographic key.
Rotation Keys in Software
The main issue is that in a pure software environment, the prescribed technique set out by the PCI is a technology known as white-box cryptography. This is a technique we describe in detail elsewhere but the basic principle is that it’s a specialized form of software library that protects a cryptographic algorithm (key) within the software of the app (or SDK).
This is fine until you look more closely at the way in which white-box technology is delivered by the vendors in this market. Vendors take the information supplied by the app developer, and then use that (including the required keys) to create a software library that can be built into the resulting app for distribution to the app store. This process, known as a first generation white-box, is the service offered by the vast majority of companies that provide white-box solutions.
First Generation White-Boxes
There are a number of challenges for any software app developer using a first generation white-box. The first is obvious: your critical keys have to be sent to a third party, and are now out of your control.
However, arguably this challenge is not the most critical. The suppliers of first generation white-boxes may offer them as part of an annual subscription license. The details of this license are vitally important to fully understand:
- Does the subscription include on-demand generation of new white-boxes?
- What is the Service Level Agreement?
- Will there be any service restrictions? For example, the number of White-Boxes required per annum
- Is there a development queue?
- Are additional white-boxes chargeable?
- How often can keys be rotated, given the SLA?
Bearing in mind that the creation of white-box libraries is controlled by the vendor, and may well be a very costly service, any payment app developer has to consider the practicality of Key Rotation, which is why so many don’t plan to change their key(s) very often—perhaps even only annually.
This is a self-evident security risk, of which app developers should make their PSPs, banks, and others aware. The importance of protecting keys is clear, however, the ability to manage them is arguably more so.
As stated at the top of this article, cryptographic keys themselves can be a single point of failure. If an adversary can analyze the application, find the key, and exploit it in an attack, then the whole process, including payments, API Access, and Personally Identifiable Information (PII), will be at profound risk. Financial and reputational damage can be immense—not to mention scrutiny from industry regulators.
An Alternative…..
If the model for creation and use of white-boxes can be changed, there is an opportunity to adopt regular, secure key management in general, and Key Rotation in particular.
If the developer of any mobile payment app or SDK can generate white-boxes at will, as often as every build should they be so inclined, then implementing the good practice of Key Rotation becomes practical for the first time in a pure mobile software environment.
Third generation white-box cryptography, as developed by PACE and used in its own Licensing Solutions, delivers a unique toolkit with the ability to create new white-box implementations as often as the app developer would wish, simply as part of the normal app build process.
As regulators and payment brands increasingly require Key Rotation for mobile applications, developers of mobile payments, mPOS, Digital IDs, DRM, and apps handling sensitive consumer data will need to consider how to meet this standard.
White-Box Works, PACE’s new third generation white-box solution, simplifies Key Rotation by allowing the app developer to understand, generate, and implement new white-box architectures at will. This enables them to easily change cryptographic keys as needed, in line with development cycles and regulatory demands.
Request a demo today to see how easy it is to rotate your keys.