The Blurry Box Encryption Revolution
2017-03-01 Oliver Winzenried
“The system should not require secrecy and it must not be a problem if it falls into enemy hands.”
Those were the words of Auguste Kerckhoffs, who published two articles in 1883 in which he surveyed the military ciphers of the time and proposed six principles for the design of new ciphers. One of those principles, known as Kerckhoffs’ Principle, remains a fundamental foundation of modern cryptography.
Encryption has become a vital consideration in an increasingly connected world. Conventional software encryption schemes often rely on the principle of “security through obscurity”. According to this principle, the security of a system is fundamentally tied to the secrecy of the protection mechanisms that are shielding it from attacks. As a result, all programs protected by the same protection scheme can be hacked using the same attack method. Put differently: it can be worthwhile for a hacker to invest considerable effort into a generic attack on a given protection method, since the attack is "scalable" and commercially exploitable, and will soon finds its way into a new wave of hacking guidelines for the entire hacking community.
However, if the protection was designed in such a way that an extensive hacking effort is required for each new protected program, the overall risk would be decreased. In this case, the attack might be successful for a single program only, which would significantly compromise the commercial viability and scalability of the hacking operation. In order to achieve this goal, the protection design requires a different approach. Rather than keeping the method secret, Kerckhoffs’ Principle predicates that only the encryption key requires utmost secrecy. That’s the basic concept behind this new technology called Blurry Box.
The application of Blurry Box in today’s smart factories can provide dramatic benefits, particularly in protecting sensitive data. Sensitive data can include production data in many forms and sizes, such as 3D blueprints or punch schemes for embroidery machines, or the technology data or configurations used in manufacturing processes. This invaluable data needs to be safeguarded against know-how theft, counterfeiting, and tampering, otherwise software-as-a-service will easily degrade into piracy-as-a-service. Applying Kerckhoffs’ Principle would provide encryption methods associated with hardware anchors of trust and ensure IP confidentiality and the integrity and authenticity of digital signatures.
The 3rd edition of the Industrial Internet Consortium’s (IIC) Journal of Innovation includes an in-depth description of Blurry Box encryption which was developed in conjunction with Wibu-Systems and the FZI Research Center for IT at the Karlsruhe Institute of Technology. The article, Blurry Box Encryption Scheme and Why it Matters to IIoT, illustrates the security benefits in use cases in several areas, including Industrie 4.0, IoT, automation, automotive, banking, medical, microgrid controls, and the textile industries.
With software at the foundation of new Internet-connected devices, modern encryption mechanisms are critical to protect IP from copying and reverse engineering. And, these mechanisms are just as vital in the Industrial Internet of Things, where connected devices, machines and factories need strong safeguards against malicious tampering that can pose serious threats to public safety and critical infrastructure.
Security issues in Smart Factories is discussed further in the IIC’s technical white paper, Smart Factory Applications in Discrete Manufacturing, published by the IIC Smart Factory Task Group.
Contributor
Oliver Winzenried
Co-founder and CEO
Oliver Winzenried began his entrepreneurial career immediately after completing his electrical engineering degree and, in 1989, he founded Wibu-Systems together with Marcellus Buchheit. His passion for software protection has resulted in a wide range of patents covering areas from secure license management and anti-tampering solutions to dongle feature innovations. He is also a director of the VDMA regional association in the state of Baden-Wuerttemberg, Germany, and serves on the board of directors of the Medical Technology working group of VDMA, the board of directors of bitkom, and the managing board of FZI.