Type-Based Analysis of PKCS#11 Key Management

  • Matteo Centenaro
  • Riccardo Focardi
  • Flaminia L. Luccio
Part of the Lecture Notes in Computer Science book series (LNCS, volume 7215)


PKCS#11, is a security API for cryptographic tokens. It is known to be vulnerable to attacks which can directly extract, as cleartext, the value of sensitive keys. In particular, the API does not impose any limitation on the different roles a key can assume, and it permits to perform conflicting operations such as asking the token to wrap a key with another one and then to decrypt it. Fixes proposed in the literature, or implemented in real devices, impose policies restricting key roles and token functionalities. In this paper we define a simple imperative programming language, suitable to code PKCS#11 symmetric key management, and we develop a type-based analysis to prove that the secrecy of sensitive keys is preserved under a certain policy. We formally analyse existing fixes for PKCS#11 and we propose a new one, which is type-checkable and prevents conflicting roles by deriving different keys for different roles.


Type System Real Device Cryptographic Operation Security Token Default Type 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Anderson, R.: The Correctness of Crypto Transaction Sets. In: Christianson, B., Crispo, B., Malcolm, J.A., Roe, M. (eds.) Security Protocols 2000. LNCS, vol. 2133, pp. 125–127. Springer, Heidelberg (2001), CrossRefGoogle Scholar
  2. 2.
    Bond, M.: Attacks on Cryptoprocessor Transaction Sets. In: Koç, Ç.K., Naccache, D., Paar, C. (eds.) CHES 2001. LNCS, vol. 2162, pp. 220–234. Springer, Heidelberg (2001)CrossRefGoogle Scholar
  3. 3.
    Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Computer Magazine 34(10), 67–75 (2001)CrossRefGoogle Scholar
  4. 4.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: Proceedings of the 17th ACM Conference on Computer and Communications Security (CCS), pp. 260–269. ACM (2010)Google Scholar
  5. 5.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: CryptokiX: a cryptographic software token with security fixes. In: Proceedings of the 4th International Workshop on Analysis of Security APIs (ASA), Edinburgh, UK (July 2010)Google Scholar
  6. 6.
    Centenaro, M., Focardi, R., Luccio, F.L., Steel, G.: Type-Based Analysis of PIN Processing APIs. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 53–68. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  7. 7.
    Clayton, R., Bond, M.: Experience Using a Low-Cost FPGA Design to Crack DES Keys. In: Kaliski Jr., B.S., Koç, Ç.K., Paar, C. (eds.) CHES 2002. LNCS, vol. 2523, pp. 579–592. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  8. 8.
    Clulow, J.: On the Security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)CrossRefGoogle Scholar
  9. 9.
    Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11. In: Proceedings of the 21st IEEE Computer Security Foundations Symposium (CSF 2008), Pittsburgh, PA, USA, pp. 331–344. IEEE Computer Society Press (June 2008)Google Scholar
  10. 10.
    Delaune, S., Kremer, S., Steel, G.: Formal analysis of PKCS#11 and proprietary extensions. Journal of Computer Security 18(6), 1211–1245 (2010)Google Scholar
  11. 11.
    Focardi, R., Luccio, F.L.: Secure Recharge of Disposable RFID Tickets. In: Barthe, G. (ed.) FAST 2011. LNCS, vol. 7140, pp. 85–99. Springer, Heidelberg (2012)Google Scholar
  12. 12.
    Fröschle, S.B., Sommer, N.: Reasoning with Past to Prove PKCS#11 Keys Secure. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 96–110. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  13. 13.
    Fröschle, S., Sommer, N.: Concepts and Proofs for Configuring PKCS#11. In: Barthe, G. (ed.) FAST 2011. LNCS, vol. 7140, pp. 131–147. Springer, Heidelberg (2012)Google Scholar
  14. 14.
    Fröschle, S.B., Steel, G.: Analysing PKCS#11 Key Management APIs with Unbounded Fresh Data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  15. 15.
    Keighren, G., Aspinall, D., Steel, G.: Towards a Type System for Security APIs. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 173–192. Springer, Heidelberg (2009)CrossRefGoogle Scholar
  16. 16.
    Longley, D., Rigby, S.: An automatic search for security flaws in key management schemes. Computers and Security 11(1), 75–89 (1992)CrossRefGoogle Scholar
  17. 17.
  18. 18.
    RSA Security Inc., v2.20. PKCS #11: Cryptographic Token Interface Standard (June 2004)Google Scholar
  19. 19.
    RSA Security Inc., Draft v2.30. PKCS #11: Cryptographic Token Interface Standard (July 2009),

Copyright information

© Springer-Verlag Berlin Heidelberg 2012

Authors and Affiliations

  • Matteo Centenaro
    • 1
  • Riccardo Focardi
    • 1
  • Flaminia L. Luccio
    • 1
  1. 1.DAISUniversità Ca’ Foscari VeneziaItaly

Personalised recommendations