Advertisement

Caml Crush: A PKCS#11 Filtering Proxy

  • Ryad Benadjila
  • Thomas Calderon
  • Marion Daubignard
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 8968)

Abstract

PKCS#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce Caml Crush, a PKCS#11 filtering proxy. Our solution allows to dynamically protect PKCS#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using Caml Crush that go beyond classical PKCS#11 weakness mitigations.

Keywords

PKCS#11 Filter Proxy OCaml Software 

References

  1. 1.
  2. 2.
  3. 3.
  4. 4.
  5. 5.
  6. 6.
  7. 7.
  8. 8.
    Sun RPC RFC 1057 (1988). http://www.ietf.org/rfc/rfc1057.txt
  9. 9.
  10. 10.
    Xdr, RFC 4506 (2006). http://tools.ietf.org/html/rfc4506
  11. 11.
    Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: ACM Conference on Computer and Communications Security, pp. 260–269. ACM Press, October 2010Google Scholar
  12. 12.
    Cachin, C., Chandran, N.: A secure cryptographic token interface. In: CSF 2009, pp. 141–153. IEEE Computer Society (2009)Google Scholar
  13. 13.
    Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003) CrossRefGoogle Scholar
  14. 14.
    Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  15. 15.
    Delaune, S., Kremer, S., Steel, G.: Formal security analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)Google Scholar
  16. 16.
    Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009) CrossRefGoogle Scholar
  17. 17.
    Benadjila, R., Calderon, T., Daubignard, M.: CamlCrush: a PKCS#11 Filtering Proxy (2014). http://eprint.iacr.org/2015/063
  18. 18.
    RSA Security Inc.: PKCS#11 v2.20: Cryptographic Token Interface Standard (2004)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2015

Authors and Affiliations

  • Ryad Benadjila
    • 1
  • Thomas Calderon
    • 1
  • Marion Daubignard
    • 1
  1. 1.ANSSIParisFrance

Personalised recommendations