Caml Crush: A PKCS#11 Filtering Proxy

  • Ryad Benadjila
  • Thomas Calderon
  • Marion Daubignard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8968)


PKCS#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce Caml Crush, a PKCS#11 filtering proxy. Our solution allows to dynamically protect PKCS#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using Caml Crush that go beyond classical PKCS#11 weakness mitigations.


PKCS#11 Filter Proxy OCaml Software 


  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
    Sun RPC RFC 1057 (1988).
  9. 9.
  10. 10.
    Xdr, RFC 4506 (2006).
  11. 11.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: ACM Conference on Computer and Communications Security, pp. 260–269. ACM Press, October 2010Google Scholar
  12. 12.
    Cachin, C., Chandran, N.: A secure cryptographic token interface. In: CSF 2009, pp. 141–153. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  14. 14.
    Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Delaune, S., Kremer, S., Steel, G.: Formal security analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)Google Scholar
  16. 16.
    Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Benadjila, R., Calderon, T., Daubignard, M.: CamlCrush: a PKCS#11 Filtering Proxy (2014).
  18. 18.
    RSA Security Inc.: PKCS#11 v2.20: Cryptographic Token Interface Standard (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ryad Benadjila
    • 1
  • Thomas Calderon
    • 1
  • Marion Daubignard
    • 1
  1. 1.ANSSIParisFrance

Personalised recommendations