we are here at FZI, the research centre
for computer science, Forschungszentrum
informatik, which is the innovation
partner of the University here in
Karlsruhe. The university Karlsruhe
Institute of Technology is a large
University, Technical University, in
Baden-Württemberg, and here at FZI we do
the connection to the small and medium
enterprises, we transfer ideas,
knowledge and research to these. And I
think the collaboration with Wibu-Systems
is a prime example where
theoretical results from the University
were put here together and brought to
industry as we can see in the
demonstrator behind me.
Blurry Box is a software protection scheme, which is
the first software protection scheme
where you can tell the attacker how it
works and it still works, it still
protects your software. Previous schemes
were based on obfuscation, meaning
security by obscurity, meaning you
couldn't really prove that it's working,
whereas here we have a model in which we
can actually prove that it is indeed
protecting your software. This is a new
result, it's new from a theoretical
perspective, but it's also a new result
for practice, because now we can exclude
a large class of attacks and we didn't
know what actual security level we did
which before that.
Blurry Box protects the software by using a secure
hardware dongle, the CodeMeter stick of
Wibu-Systems, and the software itself is
broken into small pieces; each piece
individually is encrypted and the dongle
decrypts the pieces, only if they are
needed during the run of the program. So
if you run the program, part of what is
protected by encryption will be
decrypted, but only what is needed for
this run. And if you now use the program
multiple times, you will have some parts
of the software you learn, but not all. So,
you will not get a working copy.
The software is broken into many small
pieces, which are encrypted individually,
but you could maybe think about sending
all those to the dongle and let them
decrypt one by one to obtain a copy of
the software. But some of these pieces
contain traps, meaning, if you send a
piece which is never actually used by
the program but which looks
indistinguishable from all the other
pieces, if you send such a piece to the
dongle, it will shut down, it will
immediately invalidate your software
license and you will not be able to
continue your attack.
In the demonstration, we see a small
video game, where a very small, a fuel
rocket space ship is navigated through
obstacles and, depending on the
trajectory you, take different parts of
the software are decrypted by the dongle.
But if you try to collect those and
resell them as your video game, you will
not succeed, because other people will
take other trajectories and the program
will not work. Actually as a new
development we managed to publish a
scientific paper about the methods
underlying Blurry Box; it got the best
post-award and actually currently we're
pursuing research in using hardware
trust anchors to establish all kinds of
security notions which cannot be
established with software alone.
Wibu-Systems is cooperating with KIT,
Karlsruhe Institute of Technology and
also FZI, the research institute for
computer science, since many years. For us
it's very important to have this
cooperation with the research institutes
to be able to do early enough the
necessary research for new technologies,
for changes in security as well, because
security is never 100 percent and you
cannot develop something that is
state-of-the-art for a long period of
time, so it needs to be always renewed
and upgraded. And having the latest
results from research, trying to put them
into our solutions, into our products,
keeps us ahead of the threats and the
attackers.
We are cooperating with KIT and FZI for a long time; let me
show two samples of projects: one is Pro-Protect - that's in the textile industry
and it's about protection of production
data and also controlling the production
volume. Nobody was talking about Industry 4.0 at this time, but it's an excellent
sample of Industry 4.0 implementation
already at this time. A second project is
Blurry Box and Blurry Box is a new
protection scheme where all the used
protection mechanisms are public according to Kerckhoffs' principle. For this, we got the
first prize of the German IT Security Award, which is a very famous award in
Germany, and the jury selected our
solution because of the way that
it is done, so all mechanisms are public,
so it can be audited and really
evaluated, which security level it can
reach. And on the second side it has a
high economic impact, because software
today is everywhere: in medical devices,
in industrial automation, in automotive,
and of course in classic software on the
PC in the office.
To prove the Blurry Box protection
technology that we have developed with
Research Center of Information
Technology FZI and Karlsruhe
Institute of Technology KIT, we made a
hacking contest with more than 300
participants globally from the U.S., from
Europe, from Russia, from Asia. Nobody has
been able, as a result, within three weeks
to break the protection, so after that we
implemented these mechanisms into our
standard product CodeMeter for
protection, licensing, and security of
software for any applications. The
implementation of the Blurry Box
mechanisms in our standard product makes
it easy for our customers to implement
these complex mechanisms and they get it
as an upgrade free of charge to the
existing protection mechanisms.
Our future plans are continuation of
this cooperation with KIT and FZI for
several purposes; security is never 100%
and never finished, so we need to work on
that continuously, for example, in the
area of quantum cryptography just to
mention one example, and to have security
on an unsecured hardware as another
example. And another topic, another
benefit is that with the cooperation
with KIT and FZI also young
engineers, young researchers can get
to know reboot systems that is a big
advantage in the war for talents that we
have today.
