Data protection

The following technologies can be used to protect data:

1. Encryption using the AES128 algorithm.
2. Electronic signature using the ECC160 algorithm.

The AES128 and ECC160 algorithms are added to the Guardant key when the license is recorded. Each license feature contains a unique AES encryption key and a unique key pair for the ECC algorithm. Thus, the absence of the required feature in the license automatically means that it is impossible to decrypt the data and verify the electronic signature.

AES encryption

A hardware key like any device, has limited efficiency. Small amounts of data can be encrypted and decrypted directly using the AES128 hardware algorithm written into the key. And for encryption and decryption of large amounts of data, it is recommended to use a software encryption mechanism.

The developer can choose any algorithm (for example, AES256). A properly designed mechanism for using this method, as well as the use of protection against reverse engineering, provide a level of protection similar to that of data encryption directly through the hardware algorithm in the Guardant key.

The main principle of the software method: the key for software encryption is not stored in the application and other files, it is calculated indirectly during the operation of the protected application using Guardant keys.

One of the most popular methods of software encryption is the Question-Answer table.

Prepare for data protection: 

1. Write a license with at least one feature into the Guardant key.
2. Separately generate several encryption keys (for example, 5) for the software algorithm you have chosen.
3. Generate a table of Questions — random sets of characters that the application will send to the Guardant key for verification.
4. Calculate a table of Answers. To do this, take a hash from each Question, then send this hash to the Guardant key and return it encrypted using the AES algorithm of a specific license feature.
5. Calculate a table of Results. To do this, take a hash from each answer and perform a xor operation with the key of the software encryption algorithm (a specific one of those generated in step 2). 

Data protection:

1. Encrypt the protected data using the software keys generated in step 2.
2. Write the Questions and Results table into your software. Note that the Answers table does not need to be written anywhere.

During the application operation:

1. The application sends a hash of a randomly selected Question to the Guardant key.

2. The Guardant key encrypts the question using the hardware AES algorithm and returns the Answer.

3. The application hashes the Answer and performs a XOR operation with the Result, which corresponds to the given Question. If the Question, Answer and Result match each other, then the output is the key for the software encryption algorithm, which can be used to decrypt the data

   Once a calculated encryption key has been used, it should be immediately removed from memory.

    

ECC Electronic Signature

Prepare for data protection:

Запишите в ключ Guardant лицензию хотя бы с одним компонентом.

Data protection:

1. Sign the protected data with an electronic signature using the ECC160 algorithm in the Guardant key (the Guardant Licensing API function automatically calculates a hash for the protected data and returns its signature).
2. Save the resulting signature in the application or in the key memory.
3. Save the public key for the used ECC160 algorithm in the application (located in the Guardant Station interface on the page of a specific feature).

During the application operation:

The application, via the Guardant Licensing API, programmatically verifies the signature of the protected data using the stored signature and public key.