2001
DOI: 10.1007/3-540-44709-1_19
|View full text |Cite
|
Sign up to set email alerts
|

Attacks on Cryptoprocessor Transaction Sets

Abstract: Abstract. Attacks are presented on the IBM 4758 CCA and the Visa Security Module. Two new attack principles are demonstrated. Related key attacks use known or chosen differences between two cryptographic keys. Data protected with one key can then be abused by manipulation using the other key. Meet in the middle attacks work by generating a large number of unknown keys of the same type, thus reducing the key space that must be searched to discover the value of one of the keys in the type. Design heuristics are … Show more

Help me understand this report

Search citation statements

Order By: Relevance

Paper Sections

Select...
1
1
1
1

Citation Types

0
67
0

Year Published

2003
2003
2016
2016

Publication Types

Select...
8

Relationship

2
6

Authors

Journals

citations
Cited by 48 publications
(67 citation statements)
references
References 2 publications
0
67
0
Order By: Relevance
“…For example, a data key would be encrypted under KM⊕DATA. 2 Keys encrypted in this manner are known as working keys and are stored outside of the security module. They can then only be used by sending them back into the HSM under the desired API command.…”
Section: Analysing the Ibm Recommendations Using Cl-atsementioning
confidence: 99%
See 1 more Smart Citation
“…For example, a data key would be encrypted under KM⊕DATA. 2 Keys encrypted in this manner are known as working keys and are stored outside of the security module. They can then only be used by sending them back into the HSM under the desired API command.…”
Section: Analysing the Ibm Recommendations Using Cl-atsementioning
confidence: 99%
“…The intruder's initial knowledge includes an unknown working key of each type, to reflect that fact that even if he does not already have such keys, he can always 'conjure' one by repeatedly trying random values against a command, [2, §3.4]. In addition, he is given all the initial knowledge assumed by Bond in his attacks, [2], which includes a key part K3, a partially completed importer key {|KEK⊕K3| } KM⊕KP⊕IMP , a PIN derivation key PDK encrypted under transport key KEK, and a customer's account number PAN. For standard security protocols, we would be interested in model checking properties such as the secrecy of a newly agreed session key, i.e.…”
Section: Modelling the Apimentioning
confidence: 99%
“…Given that many attacks against APIs rely on logical flaws rather than weak cryptography a large body of work addresses their security using symbolic models. The first set of attacks were discovered by Longley and Rigby [19], Bond [3], and Clulow [7]. [14] and Cortier and Steel [9] analyze a fragment of the of PKCS#11 standard.…”
Section: Instantiating a Km-apimentioning
confidence: 99%
“…The standards typically lack a clearly defined security goal, let alone a rigorous analysis that any security claim is reasonably met. As a result, proper deployment relies strongly on best practices (undocumented in the public domain); moreover, tokens are subject to regular successful attacks [2][3][4]7]. This raises the question whether the security of cryptographic APIs can be captured and compartmentalized, taking into account the reality that some keys will leak.…”
mentioning
confidence: 99%
“…Another benefit of utilizing HSMs is that they define the point at which any abuse of the key material may occur; so whilst a given HSM may not be truly secure (e.g. it may be susceptible to API attacks [6,8]), nor may they require authentication of the caller, they do from a pragmatic point of view provide the location where any abuse by an attacker will occur.…”
Section: Introductionmentioning
confidence: 99%