A Generic Security API for Symmetric Key Management on Cryptographic Devices
- 2.4k Downloads
Security APIs are used to define the boundary between trusted and untrusted code. The security properties of existing APIs are not always clear. In this paper, we give a new generic API for managing symmetric keys on a trusted cryptographic device. We state and prove security properties for our API. In particular, our API offers a high level of security even when the host machine is controlled by an attacker.
Our API is generic in the sense that it can implement a wide variety of (symmetric key) protocols. As a proof of concept, we give an algorithm for automatically instantiating the API commands for a given key management protocol. We demonstrate the algorithm on a set of key establishment protocols from the Clark-Jacob suite.
KeywordsSecurity Level Secret Data Replay Attack Host Machine Brute Force Attack
- 1.Council regulation (ec) no 2252/2004: on standards for security features and biometrics in passports and travel documents issued by member states (December 2004), http://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2004:385:0001:0006:EN:PDF
- 4.CCA Basic Services Reference and Guide (October 2006), www.ibm.com/security/cryptocards/pdfs/bs327.pdf
- 5.Clark, J., Jacob, J.: A survey of authentication protocol literature: Version 1.0 (1997), http://www.cs.york.ac.uk/jac/papers/drareview.ps.gz
- 8.Cortier, V., Steel, G.: Synthesising secure APIs. Research Report RR-6882, INRIA (March 2009)Google Scholar
- 9.Courant, J., Monin, J.-F.: Defending the bank with a proof assistant. In: Proceedings of the 6th International Workshop on Issues in the Theory of Security (WITS 2006), Vienna, Austria, March 2006, pp. 87–98 (2006)Google Scholar
- 11.Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P. (ed.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)Google Scholar
- 12.IBM Comment on A Chosen Key Difference Attack on Control Vectors (January 2001), http://www.cl.cam.ac.uk/~mkb23/research.html
- 16.RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)Google Scholar