Formal security analysis of PKCS#11 and proprietary extensions

Delaune, Stéphanie; Kremer, Steve; Steel, Graham

doi:10.3233/jcs-2009-0394

Cited by 26 publications

(58 citation statements)

References 17 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We say that an API is secure if, for any cryptographic primitives used by the API, encrypting and signing data using the API is as secure as using the primitives themselves in isolation. This is strictly stronger than the model from Delaune et al, where an API is considered secure if the attacker cannot learn the values of honestly-generated secret keys [12,13]. Moreover, the adversary in our model is allowed to adaptively corrupt certain keys.…”

Section: Our Contributionmentioning

confidence: 94%

“…Weak Security Models: Many existing analyses of APIs use a Dolev-Yao style symbolic model to express the security of the API and only prove that the adversary cannot recover keys in full with certainty [1,5,7,[11][12][13]16]. While this notion of security rules out many of the attacks that have been described in the literature, it does not guarantee that any cryptographic primitives using these keys are secure, which is the security goal in our model.…”

Section: Comparison To Existing Workmentioning

confidence: 98%

“…STP has been implemented as a set of filtering rules in Caml Crush, a software filter that rejects certain PKCS#11 calls [2]. However, the filtering rules in Caml Crush allow users to compute and verify MACs, which is not captured by the model from Delaune et al [12,13]. Therefore the previous analysis of STP does not apply to what is implemented in Caml Crush.…”

Section: Introductionmentioning

confidence: 96%

“…In 2008, Delaune et al presented a formal, Dolev-Yao style model of PKCS#11 and used model-checking tools to find new attacks [12,13]. Bortolozzo et al then developed an automated tool called Tookan, built on the model by Delaune et al, that found and executed attacks against real hardware devices using PKCS#11 [5].…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

A Provably Secure PKCS#11 Configuration Without Authenticated Attributes

Stanley-Oakes

2017

Financial Cryptography and Data Security

View full text Add to dashboard Cite

Abstract. Cryptographic APIs like PKCS#11 are interfaces to trusted hardware where keys are stored; the secret keys should never leave the trusted hardware in plaintext. In PKCS#11 it is possible to give keys conflicting roles, leading to a number of key-recovery attacks. To prevent these attacks, one can authenticate the attributes of keys when wrapping, but this is not standard in PKCS#11. Alternatively, one can configure PKCS#11 to place additional restrictions on the commands permitted by the API. Bortolozzo et al. proposed a configuration of PKCS#11, called the Secure Templates Patch (STP), supporting symmetric encryption and key wrapping. However, the security guarantees for STP given by Bortolozzo et al. are with respect to a weak attacker model. STP has been implemented as a set of filtering rules in Caml Crush, a software filter for PKCS#11 that rejects certain API calls. The filtering rules in Caml Crush extend STP by allowing users to compute and verify MACs and so the previous analysis of STP does not apply to this configuration. We give a rigorous analysis of STP, including the extension used in Caml Crush. Our contribution is as follows: (i) We show that the extension of STP used in Caml Crush is insecure.(ii) We propose a strong, computational security model for configurations of PKCS#11 where the adversary can adaptively corrupt keys and prove that STP is secure in this model. (iii) We prove the security of an extension of STP that adds support for public-key encryption and digital signatures.

show abstract

Section: Our Contributionmentioning

confidence: 94%

Section: Comparison To Existing Workmentioning

confidence: 98%

Section: Introductionmentioning

confidence: 96%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

A Provably Secure PKCS#11 Configuration Without Authenticated Attributes

Stanley-Oakes

2017

Financial Cryptography and Data Security

View full text Add to dashboard Cite

show abstract

“…Building on the work of Longley and Rigby [9] and Bond and Anderson [10] on API attacks, several recent papers have investigated the security of APIs on the logical level adapting symbolic techniques for protocol analysis [11][12][13], finding many new attacks. As discussed before, recent work on appropriate security notions for APIs in terms of cryptographic games [4,5] lacks composability.…”

Section: Introductionmentioning

confidence: 99%

Universally Composable Key-Management

Kremer

Künnemann

Steel

2013

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Abstract. We present the first universally composable key-management functionality, formalized in the GNUC framework by Hofheinz and Shoup. It allows the enforcement of a wide range of security policies and can be extended by diverse key usage operations with no need to repeat the security proof. We illustrate its use by proving an implementation of a security token secure with respect to arbitrary key-usage operations and explore a proof technique that allows the storage of cryptographic keys externally, a novel development in simulation-based security frameworks.

show abstract

MAC-in-the-Box: Verifying a Minimalistic Hardware Design for MAC Computation

Robert

Nemati

2020

Computer Security – ESORICS 2020

View full text Add to dashboard Cite

Formal security analysis of PKCS#11 and proprietary extensions

Cited by 26 publications

References 17 publications

A Provably Secure PKCS#11 Configuration Without Authenticated Attributes

A Provably Secure PKCS#11 Configuration Without Authenticated Attributes

Universally Composable Key-Management

MAC-in-the-Box: Verifying a Minimalistic Hardware Design for MAC Computation

Contact Info

Product

Resources

About