Securing encryption keys in web apps

Posted On

By Paul Butterworth


Cryptography underpins our modern world. It protects the transmission of private data, authenticates users, and secures digital transactions. 

Advances in cryptographic algorithms have made decrypting secret information extremely difficult, costly, and time-consuming for hackers. Modern public-key cryptographic algorithms, such as RSA and ECC use what’s called asymmetric encryption techniques. They use a related pair of keys, a public key, and a matching private key. If for example, a piece of data is encrypted with the private key, it can only be decrypted with the matching public key, and vice versa. As well as providing encryption capabilities, it also enables a receiving party to be able to validate that the data originated from a genuine source. 

Why encryption key security matters

All of this assumes that the cryptographic key is kept and used securely. If keys aren’t properly protected, then rogue actors can use them to eavesdrop on communications, steal sensitive information, hijack transactions, and generate fraudulent digital signatures which mimic ‘trusted’ protections and can be used for further attacks.

Hackers employ a number of methods in their attempt to steal encryption keys, such as:

  • Analyzing applications and taking keys found in the source code
  • Reverse engineering apps to establish how and what keys are being used
  • Speculative execution exploits such as CacheOut and Zombieload
  • Side channel attacks that exploit indirect information such as differential fault analysis, patterns of memory access, or power usage  
  • AES key extraction

 To keep systems and data safe, encryption key security is vital. Trusted execution environments, hardware security modules and other OS-provided and hardware backed key security options offer varying degrees of protection. In addition, extra key protections such as white-box cryptography are generally recommended. The problem becomes especially challenging, however, for web applications. 

Why web application encryption is particularly vulnerable

JavaScript provides powerful and flexible tools for creating web applications but has also left them vulnerable. The Verizon 2019 Data Breach Investigations report found that web applications are one of the top three attack vectors across nearly every vertical.

Cryptographic keys, in particular, are highly targeted as encryption key security in web apps is so limited. Browsers often do not have access to built-in hardware-based technologies. With cryptographic keys used in every web interaction, from user verification, to website authentication, to the secure transmission and storage of data, this seemingly small problem has enormous ramifications.

Without access to traditional key protection methods, the only option until recently was to use solutions like Web Crypto API, which provides cryptographic functions to JavaScript web apps. However, while Web Crypto API does indeed protect keys from web-based attacks, it offers limited key management features, is complicated to set up and use, and does not directly support any key-storage mechanism. This lack of secure storage opens up a key-lifting vulnerability via reverse engineering, memory examination, or side-channel attacks.

A stronger mechanism to reduce web application encryption risks is to utilize white-box cryptography to bolster encryption key security.

How white-box cryptography protects web apps

White-box cryptography is a security technology to protect cryptographic keys that is highly resistant to reverse engineering, memory examination, and side-channel attacks. It uses an advanced drop-in cryptographic library that enables web applications to perform cryptographic operations without ever exposing the keys, whether they are in use or at rest. In essence, encryption keys are embedded in the algorithms making them nearly impossible to extract. In a white-box implementation, keys are never exposed, even in memory, so memory-based attacks will fail.

Using a white-box cryptographic solution for web apps also means that the keys used by applications remain secure even if the host device or PC running it has been compromised (such as with a jailbroken iOS or rooted Android device). It also protects them from the range of side-channel attacks that are increasingly being used by hackers to locate and extract encryption keys.

Trust the only enterprise-ready solution

whiteCryption Secure Key Box (SKB) for Web is the only enterprise-ready solution on the market to provide advanced software-based cryptographic protection for web apps and browsers. Our SKB undergoes regular third-party pen testing and supports all popular cryptographic algorithms and functions. 

In an age where not protecting your encryption keys can be as bad as having no encryption at all, whiteCryption Secure Key Box provides an easy to deploy and highly effective software-based solution. To find out more about web application encryption risks and our unique encryption key security capabilities, get in touch with us today.


whitecryption CTA Banner

About Paul Butterworth

Paul Butterworth is an experienced payment and security professional, having spent almost 30 years in the card, payments and IT security industries. Paul is responsible for global product marketing for the Intertrust Secure Systems’ market leading application shielding and device identity solutions.

Related blog posts


Mitigating your Java code security debt

Read more


How application protection helps HIPAA compliance

Read more


Top 2021 banking and fintech security regulations

Read more