Blurry Box Logo

About Blurry Box

Ever since software was first introduced, developers and crackers, product inventors and pirates, solid infrastructure builders and hackers have been engaged in an arms race. Regardless of where one stands in the debate between homegrown solutions and specialized technologies, conventional software protection often relies on the principle of “security through obscurity”. According to this principle, the security of a system is fundamentally tied to the secrecy of the protection mechanisms that are shielding it from attacks.


Kerckhoffs’ Principle

In 1883, Auguste Kerckhoffs published two articles in the Journal des sciences militaires, in which he surveyed the military ciphers of the time and proposed six principles for the design of new ciphers. Some of those principles were dependent on the technology available at the time, but one principle, known as Kerckhoffs’ Principle, is still valid today and has fundamentally shaped the mindset of modern cryptography (translated from the French):


The system should not require secrecy, and it must not be a problem if it falls into enemy hands


Kerckhoffs’ Principle provides a revolutionary approach to software protection, yet little work has been done to demonstrate its efficacy or practical business applications.


Blurry Box Cryptography

At its core, Blurry Box is based on the assumption that a hacker lacks the domain knowledge necessary to create a software product. The main idea is to split the program code into small pieces to make it practically infeasible to retrieve all pieces by running the code. The hacker’s lack of domain knowledge prevents him from creating additional pieces on his own. The following sequence describes the protection mechanisms of the Blurry Box scheme:


  • Assume that program code consists of several function blocks.
  • Each function block is copied multiple times.
  • Each copy is modified in such a way that it yields the correct values only for a restricted set of inputs. These modified copies are called variants of the function block.
  • All variants together cover the entire input range of the original function block.
  • Variants may be created by, e.g., deleting operations that are not necessary for a specific interval or by using approximation techniques.
  • A wrapper function that maps inputs to the address of the corresponding next variant is created. These wrapper functions are moved into a dongle, which can be done since these functions are sufficiently lightweight to run on restricted hardware.
  • In addition, the dongle comes with state storage for detecting illicit sequences of variants.
  • A performance limit can be set for the maximum number of encryptions that the dongle can perform in 30s.

Each variant is encrypted with a different key, known as the variant key, using the Advanced Encryption Standard (AES). Each variant key is encrypted with a secret key stored on the dongle. During each program execution, only the variants that correspond to the current set of input are decrypted. The hacker can only see the parts of the program code that correspond to previous input values.


Up to now, the scheme described above can be trivially broken by simply decrypting one variant after another using the dongle. To prevent such a trivial attack, traps are introduced. Traps contain special variant keys that, when decrypted, force the dongle to lock itself, invalidating the license. Of course, during normal program execution, traps are never decrypted.


You can find the complete article about Blurry Box Encryption Scheme and Why it Matters to Industrial IoT in the Industrial Internet Consortium Journal of Innovation.


German IT Security Prize

In 2014, out of the eleven finalists that were selected from 66 applicants, Blurry Box received unconditional acclaim from the international cybersecurity community: The jury of the 5th German IT Security Award decreed Wibu-Systems, the FZI Research Center, and the Karlsruhe Institute of Technology to be the joint winners of the first prize of this highly coveted award. The German IT Security Award is only conferred every two years and enjoys special esteem among IT security specialists.


Blurry Box® is a registered trademark of WIBU-SYSTEMS AG.