1

Fundamentally it is impossible to protect software if you can't trust the execution platform (e.g. using a TPM), so what is the point of software security then?

With vendors claim that their white-box crypto / obfuscation technique are the best, is there a methodology or a way to assess the strength of software security?

user3391819
  • 11
  • 1
  • 1
    I'm voting to close this question as off-topic because it is about information security. – fkraiem Jun 08 '16 at 00:03
  • @fkraiem: Software security here has to be understood as security of a software-only implementation of some cryptographic algorithm. IMHO I find the question relevant. White-box cryptography is definitely a cryptographic topic. – user94293 Jun 08 '16 at 00:36
  • 1
    That is not how I understand the term software security; the vast majority of software security flaws happen on non-crypto software, so there does not seem to be any reason to restrict the question to crypto software. – fkraiem Jun 08 '16 at 00:40
  • 4
    Can you better define what you are talking about when you say "protect" and "security"? In other words, what is your threat model, what is your critical information you are trying to protect, etc? – mikeazo Jun 08 '16 at 00:53
  • 4
    I don't think this is necessarily off-topic, but it could really use some clarification. For example, why can't you choose to trust the platform even without trusted hardware? I trust my desktop system even though I have no TPM. That means I have to assume e.g. that no one's tampered with it physically, but software methods are enough to prevent (most) remote threats. – otus Jun 08 '16 at 04:32

1 Answers1

2

Recently, ECRYPT CSA organized a white-box challenge where you can publish your white-box implementation for AES-128 without exposing your design and the chosen key.

As a result, all the submitted challenges have been broken in less than one month, which further proves that "obscurity" is never sufficient to protect your assets.

To the best of my knowledge, there are no formal methods to measure the obscurity strength achieved in a software.

Junwei WANG
  • 361
  • 4
  • 8