Skip to main content

Caml Crush: A PKCS#11 Filtering Proxy

  • Conference paper
  • First Online:
Smart Card Research and Advanced Applications (CARDIS 2014)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8968))

Abstract

PKCS#11 is a very popular cryptographic API: it is the standard used by many Hardware Security Modules, smartcards and software cryptographic tokens. Several attacks have been uncovered against PKCS#11 at different levels: intrinsic logical flaws, cryptographic vulnerabilities or severe compliance issues. Since affected hardware remains widespread in computer infrastructures, we propose a user-centric and pragmatic approach for secure usage of vulnerable devices. We introduce Caml Crush, a PKCS#11 filtering proxy. Our solution allows to dynamically protect PKCS#11 cryptographic tokens from state of the art attacks. This is the first approach that is immediately applicable to commercially available products. We provide a fully functional open source implementation with an extensible filter engine effectively shielding critical resources. This yields additional advantages to using Caml Crush that go beyond classical PKCS#11 weakness mitigations.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or Ebook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    We refer the reader to the extended version of this paper [17] for more details.

References

  1. Caml Crush. https://github.com/ANSSI-FR/caml-crush/

  2. CryptokiX. http://secgroup.dais.unive.it/projects/security-apis/cryptokix/

  3. GNOME Keyring. http://live.gnome.org/GnomeKeyring

  4. grsecurity. http://grsecurity.net/

  5. openCryptoki. http://sourceforge.net/projects/opencryptoki/

  6. pkcs11-proxy. http://floss.commonit.com/pkcs11-proxy.html

  7. SELinux. http://selinuxproject.org/

  8. Sun RPC RFC 1057 (1988). http://www.ietf.org/rfc/rfc1057.txt

  9. CamlIDL project page (2004). http://caml.inria.fr/pub/old_caml_site/camlidl/

  10. Xdr, RFC 4506 (2006). http://tools.ietf.org/html/rfc4506

  11. Bortolozzo, M., Centenaro, M., Focardi, R., Steel, G.: Attacking and fixing PKCS#11 security tokens. In: ACM Conference on Computer and Communications Security, pp. 260–269. ACM Press, October 2010

    Google Scholar 

  12. Cachin, C., Chandran, N.: A secure cryptographic token interface. In: CSF 2009, pp. 141–153. IEEE Computer Society (2009)

    Google Scholar 

  13. Clulow, J.: On the security of PKCS #11. In: Walter, C.D., Koç, Ç.K., Paar, C. (eds.) CHES 2003. LNCS, vol. 2779, pp. 411–425. Springer, Heidelberg (2003)

    Chapter  Google Scholar 

  14. Cortier, V., Steel, G.: A generic security API for symmetric key management on cryptographic devices. In: Backes, M., Ning, P. (eds.) ESORICS 2009. LNCS, vol. 5789, pp. 605–620. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  15. Delaune, S., Kremer, S., Steel, G.: Formal security analysis of PKCS#11 and proprietary extensions. J. Comput. Secur. 18(6), 1211–1245 (2010)

    Google Scholar 

  16. Fröschle, S., Steel, G.: Analysing PKCS#11 key management APIs with unbounded fresh data. In: Degano, P., Viganò, L. (eds.) ARSPA-WITS 2009. LNCS, vol. 5511, pp. 92–106. Springer, Heidelberg (2009)

    Chapter  Google Scholar 

  17. Benadjila, R., Calderon, T., Daubignard, M.: CamlCrush: a PKCS#11 Filtering Proxy (2014). http://eprint.iacr.org/2015/063

  18. RSA Security Inc.: PKCS#11 v2.20: Cryptographic Token Interface Standard (2004)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Marion Daubignard .

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2015 Springer International Publishing Switzerland

About this paper

Cite this paper

Benadjila, R., Calderon, T., Daubignard, M. (2015). Caml Crush: A PKCS#11 Filtering Proxy. In: Joye, M., Moradi, A. (eds) Smart Card Research and Advanced Applications. CARDIS 2014. Lecture Notes in Computer Science(), vol 8968. Springer, Cham. https://doi.org/10.1007/978-3-319-16763-3_11

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-16763-3_11

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-16762-6

  • Online ISBN: 978-3-319-16763-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics