Automated Backward Analysis of PKCS#11 v2.20

  • Robert Künnemann
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9036)


The PKCS#11 standard describes an API for cryptographic operations which is used in scenarios where cryptographic secrets need to be kept secret, even in case of server compromise. It is widely deployed and supported by many hardware security modules and smart cards. A variety of attacks in the literature illustrate the importance of a careful configuration, as API-level attacks may otherwise extract keys.

Formal verification of PKCS#11 configurations requires the analysis of a system that contains mutable state, a problem that existing methods solved by either artificially restricting the number of keys, introducing model-specific over-approximation or performing proofs by hand. At Security & Privacy 2014, Kremer and Künnemann presented a variant of the applied pi calculus that handles global state and, in conjunction with the tamarin prover for protocol verification, allows for the precise analysis of protocols with state. Using this tool chain, we show secrecy of keys for a PKCS#11 configuration that makes use of features introduced in version 2.20 of the standard, including wrap and unwrap templates in an extensible model.

This configuration supports the creation of so-called wrapping keys for import and export of sensitive keys (e.g., for backup or transfer), and it permits the co-existence of sensitive keys and non-sensitive keys on the same device.


Smart Card Trace Formula Security Property Tool Chain Security Token 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Abadi, M., Fournet, C.: Mobile Values, New Names, and Secure Communication. In: POPL 2001. ACM Press (2001)Google Scholar
  2. 2.
    Adão, P., Focardi, R., Luccio, F.L.: Type-Based Analysis of Generic Key Management APIs. In: CSF, pp. 97–111. IEEE (2013)Google Scholar
  3. 3.
    Ahmed, N., Jensen, C.D., Zenner, E.: Towards Symbolic Encryption Schemes. In: Foresti, S., Yung, M., Martinelli, F. (eds.) ESORICS 2012. LNCS, vol. 7459, pp. 557–572. Springer, Heidelberg (2012)Google Scholar
  4. 4.
    Bardou, R., Focardi, R., Kawamoto, Y., Simionato, L., Steel, G., Tsay, J.-K.: Efficient Padding Oracle Attacks on Cryptographic Hardware. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 608–625. Springer, Heidelberg (2012)Google Scholar
  5. 5.
    Bond, M., Anderson, R.: API level attacks on embedded systems. IEEE Computer Magazine 34(10) (2001)Google Scholar
  6. 6.
    Bortolozzo, M., et al.: Attacking and Fixing PKCS#11 Security Tokens. In: CCS 2010. ACM Press (2010)Google Scholar
  7. 7.
    Centenaro, M., Focardi, R., Luccio, F.L.: Type-based analysis of key management in PKCS#11 cryptographic devices. Journal of Computer Security 21(6) (2013)Google Scholar
  8. 8.
    Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)Google Scholar
  9. 9.
    Cortier, V., Keighren, G., Steel, G.: Automatic Analysis of the Security of XOR-Based Key Management Schemes. In: Grumberg, O., Huth, M. (eds.) TACAS 2007. LNCS, vol. 4424, pp. 538–552. Springer, Heidelberg (2007)Google Scholar
  10. 10.
    Cortier, V., Steel, G., Wiedling, C.: Revoke and let live: a secure key revocation API for cryptographic devices. In: CCS 2012. ACM (2012)Google Scholar
  11. 11.
    Delaune, S., Kremer, S., Steel, G.: Formal Analysis of PKCS#11 and Proprietary Extensions. Journal of Computer Security 18(6) (2010)Google Scholar
  12. 12.
    Durgin, N., et al.: Undecidability of Bounded Security Protocols. In: Workshop on Formal Methods and Security Protocols. IEEE (1999)Google Scholar
  13. 13.
    Fröschle, S., Sommer, N.: Concepts and Proofs for Configuring PKCS#11. In: Barthe, G., Datta, A., Etalle, S. (eds.) FAST 2011. LNCS, vol. 7140, pp. 131–147. Springer, Heidelberg (2012)Google Scholar
  14. 14.
    Fröschle, S., Steel, G.: Analysing PKCS#11 key management aPIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)Google Scholar
  15. 15.
    Fröschle, S., Sommer, N.: Reasoning with past to prove PKCS#11 keys secure. In: Degano, P., Etalle, S., Guttman, J. (eds.) FAST 2010. LNCS, vol. 6561, pp. 96–110. Springer, Heidelberg (2011)Google Scholar
  16. 16.
    Fröschle, S.B., Sommer, N.: When is a PKCS#11 configuration secure? Tech. rep. Reports of SFB/TR 14 AVACS 82, SFB/TR 14 AVACS (2011),
  17. 17.
    Kremer, S., Künnemann, R.: Automated analysis of security protocols with global state. In: Security and Privacy. IEEE Computer Society (2014)Google Scholar
  18. 18.
    Kremer, S., Künnemann, R., Steel, G.: Universally Composable Key-Management. In: Crampton, J., Jajodia, S., Mayes, K. (eds.) ESORICS 2013. LNCS, vol. 8134, pp. 327–344. Springer, Heidelberg (2013)Google Scholar
  19. 19.
    Kremer, S., Steel, G., Warinschi, B.: Security for Key Management Interfaces. In: CSF 2011, pp. 66–82. IEEE Computer Society (2011)Google Scholar
  20. 20.
    Longley, D., Rigby, S.: An Automatic Search for Security Flaws in Key Management Schemes. Computers and Security 11(1) (March 1992)Google Scholar
  21. 21.
    PKCS #11 Cryptographic Token Interface Base Specification Version 2.40, Committee Specification 01. OASIS Open (September 2014),
  22. 22.
    PKCS #11: Cryptographic Token Interface Standard. RSA Security Inc. v2.20 (June 2004)Google Scholar
  23. 23.
    Schmidt, B., et al.: Automated Analysis of Diffie-Hellman Protocols and Advanced Security Properties. In: CSF 2012. IEEE (2012)Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2015

Authors and Affiliations

  • Robert Künnemann
    • 1
  1. 1.Department of Computer ScienceTUDarmstadtGermany

Personalised recommendations